Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tuumke
New Contributor

Azure site-to-site IPSec delete requests

We have recently setup a site-to-site VPN tunnel with Azure from our 1200D's (HA).

Traffic (ping) is working to the Azure VPN and back. No problems there.

 

The problem is that when there is no traffic, VPN is brought down by request of Azure as it seems.

 

2016-06-09 08:37:38 ike 1: comes azure.external.ip.adress:500->our.external.vpn.ip:500,ifindex=36....
2016-06-09 08:37:38 ike 1: IKEv2 exchange=INFORMATIONAL id=4b56657b5863a222/69ad09fb52ca1223:0000026f len=72
2016-06-09 08:37:38 ike 1: in 4B56657B5863A22269AD09FB52CA12232E2025080000026F000000482A00002C42295E2308A0A4C88E6C7BC2262317A57039EAD293B191BDEA59F36F11032B19638DD7399329F9B2
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: dec 4B56657B5863A22269AD09FB52CA12232E2025080000026F0000002C2A0000040000000C0304000190ACD1C8
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: received informational request
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: processing delete request (proto 3)
2016-06-09 08:37:38 ike 1:VPN-Azure: deleting IPsec SA with SPI 90acd1c8
2016-06-09 08:37:38 ike 1:VPN-Azure:VPN-Azure-MGMT: deleted IPsec SA with SPI 90acd1c8, SA count: 0
2016-06-09 08:37:38 ike 1:VPN-Azure: sending SNMP tunnel DOWN trap for VPN-Azure-MGMT
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sending delete ack
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: enc 0000000C0304000114A55E4603020103
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: out 4B56657B5863A22269AD09FB52CA12232E2025200000026F000000482A00002CFD94B85D2F62ECFAFF2A1DAD36F235CD87C6769B4D4E96A3C7DF2EBE86B41B79AB21FB7776C5E600
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sent IKE msg (INFORMATIONAL_RESPONSE): our.external.vpn.ip:500->azure.external.ip.adress:500, len=72, id=4b56657b5863a222/69ad09fb52ca1223:0000026f
2016-06-09 08:37:39 ike 1:VPN-Azure: link is idle 36 our.external.vpn.ip->azure.external.ip.adress:0 dpd=1 seqno=350e

 

Phase2 selectors

    edit "VPN-Azure-Servers1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.mgmt.network 255.255.254.0
    next
    edit "VPN-Azure-Servers2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-MGMT-SRV1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers1-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers2-SRV1"
        set phase1name "VPN-Azure"
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
end

14 REPLIES 14
virtualj

You can do like me, removing multiple phase2 and doing only one without src and dst-subnet.

config vpn ipsec phase2-interface
    edit "VPN-Azure-p2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
    next
end

NSE 7

tuumke

So its working now?

Not using remote / src subnet is not really an option for us.

virtualj

Yes it is working. What is the problem of not using selectors? The firewall use the routing information and antispoofing for not matching traffic.

NSE 7

tuumke

Well, you want to have source and destionation subnets so you can limit access from subnet to subnet. You dont want it to be connect to 'everything'.

virtualj

phase2 selectors doesn't have this function. You can use routing and firewall policyes to limit the traffic.

NSE 7