Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tuumke
New Contributor

Azure site-to-site IPSec delete requests

We have recently setup a site-to-site VPN tunnel with Azure from our 1200D's (HA).

Traffic (ping) is working to the Azure VPN and back. No problems there.

 

The problem is that when there is no traffic, VPN is brought down by request of Azure as it seems.

 

2016-06-09 08:37:38 ike 1: comes azure.external.ip.adress:500->our.external.vpn.ip:500,ifindex=36....
2016-06-09 08:37:38 ike 1: IKEv2 exchange=INFORMATIONAL id=4b56657b5863a222/69ad09fb52ca1223:0000026f len=72
2016-06-09 08:37:38 ike 1: in 4B56657B5863A22269AD09FB52CA12232E2025080000026F000000482A00002C42295E2308A0A4C88E6C7BC2262317A57039EAD293B191BDEA59F36F11032B19638DD7399329F9B2
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: dec 4B56657B5863A22269AD09FB52CA12232E2025080000026F0000002C2A0000040000000C0304000190ACD1C8
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: received informational request
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: processing delete request (proto 3)
2016-06-09 08:37:38 ike 1:VPN-Azure: deleting IPsec SA with SPI 90acd1c8
2016-06-09 08:37:38 ike 1:VPN-Azure:VPN-Azure-MGMT: deleted IPsec SA with SPI 90acd1c8, SA count: 0
2016-06-09 08:37:38 ike 1:VPN-Azure: sending SNMP tunnel DOWN trap for VPN-Azure-MGMT
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sending delete ack
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: enc 0000000C0304000114A55E4603020103
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: out 4B56657B5863A22269AD09FB52CA12232E2025200000026F000000482A00002CFD94B85D2F62ECFAFF2A1DAD36F235CD87C6769B4D4E96A3C7DF2EBE86B41B79AB21FB7776C5E600
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sent IKE msg (INFORMATIONAL_RESPONSE): our.external.vpn.ip:500->azure.external.ip.adress:500, len=72, id=4b56657b5863a222/69ad09fb52ca1223:0000026f
2016-06-09 08:37:39 ike 1:VPN-Azure: link is idle 36 our.external.vpn.ip->azure.external.ip.adress:0 dpd=1 seqno=350e

 

Phase2 selectors

    edit "VPN-Azure-Servers1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.mgmt.network 255.255.254.0
    next
    edit "VPN-Azure-Servers2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-MGMT-SRV1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers1-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet azure.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers2-SRV1"
        set phase1name "VPN-Azure"
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet azure.server1.network 255.255.254.0
    next
end

14 REPLIES 14
MrSinners
Contributor

Hello,

 

Have you followed the guidelines as mentioned by azure listed at:

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

 

The IKEv2 config mentions no life time based upon KB, while it's configured on your FG.

 

Can you also post your phase 1 config?

tuumke

MrSinners wrote:

Hello,

 

Have you followed the guidelines as mentioned by azure listed at:

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

 

The IKEv2 config mentions no life time based upon KB, while it's configured on your FG.

 

Can you also post your phase 1 config?

Yeah, i put those in because i've seen them on other topics/blogs about Fortigate/Azure vpn connections;.

 

Phase1

    edit "VPN-Azure"
        set interface "port26"
        set ike-version 2
        set nattraversal disable
        set keylife 10800
        set proposal aes256-sha256 3des-sha256
        set dhgrp 2
        set remote-gw azure.external.ip.adress
        set psksecret ENC supersecret
    next

 

 

Modified the Phase2 selectors:

 

    edit "VPN-Azure-Servers1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet external.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet external.mgmt.network 255.255.254.0
    next
    edit "VPN-Azure-Servers2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet external.server2.network 255.255.252.0
    next
    edit "VPN-Azure-MGMT-SRV1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet external.server1.network 255.255.254.0
    next
    edit "VPN-Azure-MGMT-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.mgmt.network 255.255.254.0
        set dst-subnet external.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers1-SRV2"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set dhgrp 5 2 1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.server1.network 255.255.254.0
        set dst-subnet external.server2.network 255.255.252.0
    next
    edit "VPN-Azure-Servers2-SRV1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet internal.server2.network 255.255.252.0
        set dst-subnet external.server1.network 255.255.254.0
    next

 

 

tuumke
New Contributor

Hhmm it seems that with auto-negotiote on, keep alive is working just fine.

virtualj

Hi tuumke,

I don't understand if you have solved the problem, because I have the same one. It seems to be started after NAT-TRAVERSAL abilitation (my fortigate is behaind a NAT). So the VPN worked fine with NAT-T disabled. After the change I see p2 delete every 5 minutes. Now I have disable againg NAT-T, but p2 delete every 5 minutes is continuing.

NSE 7

tuumke

Do you have a debug log?

 

virtualj

ike 3: comes 40.x.x.x:500->10.x.x.x:500,ifindex=74....

ike 3: IKEv2 exchange=INFORMATIONAL id=557ac6441c683ae3/2dbe80f94b78ea8f:00000021 len=76

ike 3: in 557AC6441C683AE32DBE80F94B78EA8F2E202500000000210000004C2A000030E86CE54C732065

ike 3:VPN_Azure_Coll:22945: dec 557AC6441C683AE32DBE80F94B78EA8F2E202500000000210000002C

ike 3:VPN_Azure_Coll:22945: received informational request ike 3:VPN_Azure_Coll:22945: processing delete request (proto 3)

ike 3:VPN_Azure_Coll: deleting IPsec SA with SPI 44a9e206 ike 3:VPN_Azure_Coll:VPN_Azure_p2.1: deleted IPsec SA with SPI 44a9e206, SA count: 0

ike 3:VPN_Azure_Coll: sending SNMP tunnel DOWN trap for VPN_Azure_p2.1 ike 3:VPN_Azure_Coll:22945: sending delete ack

 

These messages appear exactly every 5 minutes for each phase2 selector. I've 12 phase2 for each network source/dest combination.

NSE 7

tuumke

And a output of the phase1 and phase2 config?

virtualj

Hi, in the meantime I've found a solution. I've removed all phase2 and created a new one with no selector. Now it works fine. All the networks in Azure cloud are selected by routing. The networks on premise are setted in Azure cloud.

 

config vpn ipsec phase1-interface
    edit "VPN_Azure_Coll"
        set interface "VSInt_to_VSExtC"
        set ike-version 2
        set nattraversal disable
        set dhgrp 2
        set keylife 10800
        set proposal aes256-sha1
        set remote-gw 40.x.x.x
        set psksecret ENC xxxxxxxxxxxxxxx
    next
end
config vpn ipsec phase2-interface
    edit "VPN_Azure_p2"
        set auto-negotiate enable
        set keepalive enable
        set pfs disable
        set phase1name "VPN_Azure_Coll"
        set proposal aes128-sha1
        set keylifeseconds 3600
    next
end

NSE 7

tuumke


config vpn ipsec phase1-interface
    edit "VPN-Azure"
        set interface "port26"
        set ike-version 2
        set nattraversal disable
        set keylife 10800
        set proposal aes256-sha256 3des-sha256
        set dhgrp 2
        set remote-gw x.x.x.x
        set psksecret ENC SUPERSECRETSTUFF
    next
end
config vpn ipsec phase2-interface
    edit "VPN-Azure-DMZ1"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 10./23subnet-local
        set dst-subnet 10./23subnet-remote
    next
end

 

The only difference seems to be the Phase1 and Phase2 proposal?

I thought i remebered that FortiGate has troubles connecting larger networks? So for each internal network, we make a phase 2 connector to the remote subnets.

 

Lets say we have:

Local Management 10.10.20.0/23

Local Server 10.10.40.0/23

Remote Management 10.50.20.0/23

Remote Server 10.50.40.0/23

 

Then i would create:

 

config vpn ipsec phase2-interface
    edit "VPN-Azure-MGMT-to-MGMT"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 10.10.20.0 255.255.254.0
        set dst-subnet 10.50.20.0 255.255.254.0
    next
   edit "VPN-Azure-MGMT-to-Server"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 10.10.20.0 255.255.254.0
        set dst-subnet 10.50.40.0 255.255.254.0
    next

   edit "VPN-Azure-Server-to-Server"
        set phase1name "VPN-Azure"
        set proposal aes256-sha1
        set keepalive enable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 10.10.40.0 255.255.254.0
        set dst-subnet 10.50.40.0 255.255.254.0
    next