|
Follow these steps:
- Verify the IPSec ports being used on FortiGate using the following commands.
diagnose vpn ike gateway list name <tunnel_name>
diagnose vpn tunnel list name <tunnel_name>
- If port 500 is being used, try to switch the connectivity to port 4500.
config vpn ipsec phase1-interface
edit "VPN-Phase1"
set nattraversal forced
end
Make sure NAT-Traversal is also enabled on the remote end on a Third-party device.
- Flush the tunnel.
diagnose vpn tunnel flush <tunnel_name>
diagnose vpn ike gateway flush name <tunnel_name>
Or:
diagnose vpn ike gateway clear name <tunnel_name>
- Verify if the connectivity is established on port 4500 using the same commands in the first step.
Note: In Cloud platforms like Azure, it is suggested to use NAT-T for the IPsec VPN so that the traffic will pass through the Azure load balancer.
Refer to this article: Technical Tip: IPSec tunnel is established but unable to pass the traffic on Azure.
-
Check if the traffic is sent/received over the VPN tunnel on both ends. Perform debug flow and packet captures on both FortiGates for the end host IP addresses.
Host X (x.x.x.x) -> FGT-A (IPsec VPN) FGT-B -> (y.y.y.y) Host Y.
For debug flow, run the following commands:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter saddr x.x.x.x
diagnose debug flow filter daddr y.y.y.y
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable
For packet capture, run the command:
diagnose sniffer packet any "host x.x.x.x and host y.y.y.y" 4 0 l
After initiating the above commands on the SSH session, then try to initiate the traffic from source IP x.x.x.x to destination IP y.y.y.y.
Related article:
Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...
|
