Description |
This article describes the process of troubleshooting traffic flow when an IPPool is configured under the firewall policy for IPsec tunnel traffic. |
Scope | FortiGate all versions. |
Solution |
In common situations, when an IPsec VPN is created from templates, internal subnets from both ends of the tunnel are selected as phase2 encrypted subnets. Those subnets are expected to traverse through the tunnel in end-to-end communication. When third parties are involved in a site-to-site, it is sometimes required to hide a real IP from being exposed, so NAT is involved. The change will require implementing NAT through the use of IPPools. When an IPPool is implemented, traffic does work in most cases and is dropped by FortiGate.
See the following diagram for an example of the steps to troubleshoot and fix this issue.
Initial configurations on both devices:
config vpn ipsec phase1-interface edit "Site1" set interface "port10" set ike-version 2 set peertype any set net-device disable set proposal aes256-sha256 set wizard-type static-fortigate set remote-gw 10.10.10.2 set psksecret ENC 0C8KlBBjW8sMXJvCsyJRUCqF3iaHncJWSvK20yOpr2NK1kSjPle5ncdBBB next end config vpn ipsec phase2-interface edit "Site1" set phase1name "Site1" set proposal aes256-sha256 set src-subnet 192.168.1.0 255.255.255.0 set dst-subnet 172.16.1.0 255.255.255.0 next end
config firewall policy edit 1 set name "vpn_Site1_local" set srcintf "port2" set dstintf "Site1" set action accept set srcaddr "192.168.1.0" set dstaddr "172.16.1.0" set schedule "always" set service "ALL" next edit 2 set name "vpn_Site2_local” set srcintf "Site1" set dstintf "port2" set action accept set srcaddr "172.16.1.0" set dstaddr "192.168.1.0" set schedule "always" set service "ALL" next end
edit 2 set dst 172.16.1.0 255.255.255.0 set device "Site1" next edit 3 set dst 172.16.1.0 255.255.255.0 set distance 254 set blackhole enable set vrf 0 next end
config vpn ipsec phase1-interface edit "Site2" set interface "port10" set ike-version 2 set peertype any set net-device disable set proposal aes256-sha256 set wizard-type static-fortigate set remote-gw 10.10.10.1 set psksecret ENC uRGJQnmQ9uYV0xWyVMEiNvJTfzNdqrqCL6couXjy9Ob/cNawJ next end
config vpn ipsec phase2-interface edit "Site2" set phase1name "Site2" set proposal aes256-sha256 set src-subnet 172.16.1.0 255.255.255.0 set dst-subnet 192.168.1.0 255.255.255.0 next end
config firewall policy edit 1 set name "vpn_Site2_local" set srcintf "port2" set dstintf "Site2" set action accept set srcaddr "172.16.1.0" set dstaddr "192.168.1.0" set schedule "always" set service "ALL" next edit 2 set name "vpn_Site2_remote" set srcintf "Site2" set dstintf "port2" set action accept set srcaddr "192.168.1.0" set dstaddr "172.16.1.0" set schedule "always" set service "ALL" next end
config router static edit 4 set dst 192.168.1.0 255.255.255.0 set device "Site2" next edit 5 set dst 192.168.1.0 255.255.255.0 set distance 254 set blackhole enable set vrf 0 next end
A ping test from 192.168.1.1 to 172.16.1.1, which are both sites' internal networks, shows a normal debug flow hitting the correct route, traffic encryption, and firewall policy; while from sniffer prospective, the packet leaves FGT1 through the tunnel interface.
FGT1 # dia de flow filter clear FGT1 # dia de flow filter add 172.16.1.1 FGT1 # dia de flow filter proto 1 FGT1 # dia de flow show iprope enable FGT1 # dia de flow show funct enable FGT1 # dia de flow trace start 1 FGT1 # dia de en
FGT1 # id=65308 trace_id=2 func=print_pkt_detail line=5933 msg="vd-root:0 received a packet(proto=1, 192.168.1.1:10->172.16.1.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=10, seq=0." id=65308 trace_id=2 func=init_ip_session_common line=6133 msg="allocate a new session-00000560" id=65308 trace_id=2 func=iprope_dnat_check line=5545 msg="in-[], out-[Site1]" id=65308 trace_id=2 func=iprope_dnat_tree_check line=826 msg="len=0" id=65308 trace_id=2 func=iprope_dnat_check line=5570 msg="result: skb_flags-00000000, vid-0, ret-no-match, act-accept, flag-00000000" id=65308 trace_id=2 func=ip_session_confirm_final line=3137 msg="npu_state=0x0, hook=4" id=65308 trace_id=2 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface Site1, tun_id=0.0.0.0" id=65308 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel Site1, tun_id=10.10.10.2, vrf 0" id=65308 trace_id=2 func=esp_output4 line=917 msg="IPsec encrypt/auth" id=65308 trace_id=2 func=ipsec_output_finish line=646 msg="tunnel Site1 send to ike"
FGT1 # diag sniffer packet any "host 172.16.1.1 and icmp" 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 172.16.1.1 and icmp] 2024-10-30 10:40:47.864809 Site1 out 192.168.1.1 -> 172.16.1.1: icmp: echo request 2024-10-30 10:40:47.872813 Site1 in 172.16.1.1 -> 192.168.1.1: icmp: echo reply
The problem appears when NAT is involved and IPPools are presented. Select Firewall Policy, edit the correct policy, and under 'Firewall/Network Options', select and enable NAT with option Use Dynamic IP Pool.
Firewall policy will display NAT and IPPool.
After this change is made, traffic will stop working between 2 sites and the reason is msg="No matching IPsec selector, drop".
FGT1 # dia de flow filter add 192.168.1.2 172.16.1.1 and FGT1 # dia de flow filter proto 1 FGT1 # dia de flow show iprope en FGT1 # dia de flow show funct en FGT1 # dia de flow trace start 5 FGT1 # dia de en
FGT1 # id=65308 trace_id=13 func=print_pkt_detail line=5933 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:2->172.16.1.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2, seq=1."
To fix this issue VPN must be edited on both sites and include IP pools instead of real internal IPs. Changes needed on FGT1:
config vpn ipsec phase2-interface edit "Site1" set phase1name "Site1" set dst-subnet 172.16.1.0 255.255.255.0 next end
config vpn ipsec phase2-interface edit "Site2" set phase1name "Site2" next end
config firewall policy edit 2
config router static edit 4
After making all of the above changes, ping test will go through and debug flow will show all interesting outputs.
FGT1 # id=65308 trace_id=27 func=print_pkt_detail line=5933 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:5->172.16.1.1:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=5, seq=1."
"find SNAT: IP-20.20.20.181(from IPPOOL), port-5122" <- NAT IPPool range is found. msg="SNAT 192.168.1.2->20.20.20.181:5122" <- NAT action has changed the IP. msg="output to IPSec tunnel Site1, tun_id=10.10.10.2, vrf 0" <- Packet output to tunnel interface. msg="IPsec encrypt/auth" <- Traffic is encrypted and sent over the tunnel.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.