Hello everyone
Im trying to add a second VPN tunnel to our fortigate. everything seems ok and the tunnel is up but no communication between the two sites.
Trace route on CLi on fortigate just drops
Traceroute from lan goes to the internet and drops
I used a wizard to create the tunnel. On our side we have Fortigate 200D and the other end is a Cisco ASA
diag gateway list results below
vd: root/0
name: XXXXXXXXXXXXX
version: 1
interface: port6 15
addr: XXXXXXXXXXXX:500 -> XXXXXXXXXXXXX:500
created: 5038s ago
IKE SA: created 1/1 established 1/1 time 630/630/630 ms
IPsec SA: created 5/85 established 5/5 time 180/358/800 ms
id/spi: 2 e9e783ffee4b81ee/557d82bf62f157f8
direction: initiator
status: established 5038-5037s ago = 630ms
proposal: aes256-sha1
key: f1cf0d0329195bdc-683d8c0d7660f9ce-af2786dfc8dd072b-310f90e043bc78a9
lifetime/rekey: 43200/37862
DPD sent/recv: 00000000/00000000
vd: root/0
name: YYYYYYYYYYYYYYYYY
version: 1
interface: port6 15
addr: YYYYYYYYYYYY:500 -> YYYYYYYYYYYYYYYY:500
created: 443s ago
IKE SA: created 1/1 established 1/1 time 670/670/670 ms
IPsec SA: created 1/1 established 1/1 time 890/890/890 ms
id/spi: 16 144ca8e0a32ae987/128dced7496e5590
direction: initiator
status: established 443-442s ago = 670ms
proposal: aes256-sha1
key: 1ea51db8c63bf1e9-73cc692d2d2fa48f-f14ad0ffe946bccf-6712eab0676207db
lifetime/rekey: 86400/85657
DPD sent/recv: 000038d2/00000000
Any idea of what i'm doing wrong?
Did you create a Policy?
Can you print the configuration for the tunnel?
Hi Nissan,
Thanks for the response. Yes the policy was created. I used the wizard to create the tunnel, then i converted it to a custom tunnel and changed the Phase 1 and phase 2 parameters to match the remote site
P1
AES256 SHA1 5
AES256 SHA1 2
Ok, have you defined the local and remote network?
yes i've done that.
see diag debug log below
_FGT_200D # 2016-03-08 16:21:17 ike 0:Tunnel: link is idle 15 XXXXX->YYYYYYY:0 dpd=1 seqno=3bef 2016-03-08 16:21:17 ike 0:Tunnel:364: send IKEv1 DPD probe, seqno 15343 2016-03-08 16:21:17 ike 0:Tunnel:364: enc 29FF8527190383F0A85AA0B27891ABB8081005014692C10B000000540B000018257404B5C398CF51D97E8571E0C5018BFD202628000000200000000101108D2829FF8527190383F0A85AA0B27891ABB800003BEF 2016-03-08 16:21:17 ike 0:tunnel:364: out 29FF8527190383F0A85AA0B27891ABB8081005014692C10B0000005C3FDFB81A9B0CE4C830E4667D408B8C90BE00B41488892DA9639857C5FF0AF8B9B5B5B6396FC61C73E339B28CCA51EC792E75474D91F753B0BF41742E0F4F5D00 2016-03-08 16:21:17 ike 0:tunnel:364: sent IKE msg (R-U-THERE): XXXXXXXX:500->YYYYYYYYYYY:500, len=92, id=29ff8527190383f0/a85aa0b27891abb8:4692c10b 2016-03-08 16:21:18 ike 0: comes XXXXXXX:500->YYYYYYYYYY:500,ifindex=15.... 2016-03-08 16:21:18 ike 0: IKEv1 exchange=Informational id=29ff8527190383f0/a85aa0b27891abb8:86580cf7 len=92 2016-03-08 16:21:18 ike 0: in 29FF8527190383F0A85AA0B27891ABB80810050186580CF70000005C35B2870A18521512EEA5BB1A07A73AC50E1DD9271DB18D8A75133EC293F824C262F03D40C8C3DC2058EE67703D361C5D7D1406567C141E349D9BF895F04F8054 2016-03-08 16:21:18 ike 0:tunnel:364: dec 29FF8527190383F0A85AA0B27891ABB80810050186580CF70000005C0B00001851F0653B991BF216C1F125C8AA5DB9543B20A7B9000000200000000101108D2929FF8527190383F0A85AA0B27891ABB800003BEF0000000000000000 2016-03-08 16:21:18 ike 0:tunnel:364: notify msg received: R-U-THERE-ACK
Help still needed. Tunnel up but no traffic
The event log shows dpd failure but it shows that both the p1 and p2 are successful
If interface mode, did you set the static route?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hi Bob,
Yes i did.
I also noticed that traffic is not going through the tunnel. The traffic seems to be going to the internet directly and dropping
Im at a total loss
Is the distance of the static route lower than that of your default gateway?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.