|
IPsec VPN traffic is dropped due to the following error.
FGT-LAB #
id=65308 trace_id=10 func=print_pkt_detail line=5873 msg="vd-root:0 received a packet(proto=1, 10.0.1.10:33->172.18.1.10:2048) tun_id=10.0.0.1 from VPN-1. type=8, code=0, id=33, seq=31."
id=65308 trace_id=10 func=ipsec_spoofed4 line=245 msg="src ip 10.0.1.10 mismatch selector 0 range 10.0.1.1-10.0.1.254" <----- FortiGate drops the packet due to a mismatch in the phase2, besides the packet included.
id=65308 trace_id=10 func=ipsec_input4 line=289 msg="anti-spoof check failed, drop"
Configuration phase 2 is correct.
edit "PHASE-2"
set type iprangev
set comment "VPN-1"
set start-ip 10.0.1.1 <-----
set end-ip 10.0.1.254 <-----
end
- The workaround for this issue is to set up the phase 2 configuration as follows, by expanding the phase 2 selectors:
edit "PHASE-2"
set type iprange
set comment "VPN-1"
set start-ip 10.0.0.0 <-----
set end-ip 10.0.0.0 <-----
end
-
Or specify the phase 2 by default 0.0.0.0/0 and configure the Source and Destination Subnet on the proper Firewall policy.
Note:
This issue can be encountered with bug 1012615, which has been fixed in v7.2.12, v7.4.8, v7.6.2, v7.6.3, See the Release Notes.
Open a ticket with TAC to request more information about this bug.
|
