We have recently setup a site-to-site VPN tunnel with Azure from our 1200D's (HA).
Traffic (ping) is working to the Azure VPN and back. No problems there.
The problem is that when there is no traffic, VPN is brought down by request of Azure as it seems.
2016-06-09 08:37:38 ike 1: comes azure.external.ip.adress:500->our.external.vpn.ip:500,ifindex=36....
2016-06-09 08:37:38 ike 1: IKEv2 exchange=INFORMATIONAL id=4b56657b5863a222/69ad09fb52ca1223:0000026f len=72
2016-06-09 08:37:38 ike 1: in 4B56657B5863A22269AD09FB52CA12232E2025080000026F000000482A00002C42295E2308A0A4C88E6C7BC2262317A57039EAD293B191BDEA59F36F11032B19638DD7399329F9B2
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: dec 4B56657B5863A22269AD09FB52CA12232E2025080000026F0000002C2A0000040000000C0304000190ACD1C8
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: received informational request
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: processing delete request (proto 3)
2016-06-09 08:37:38 ike 1:VPN-Azure: deleting IPsec SA with SPI 90acd1c8
2016-06-09 08:37:38 ike 1:VPN-Azure:VPN-Azure-MGMT: deleted IPsec SA with SPI 90acd1c8, SA count: 0
2016-06-09 08:37:38 ike 1:VPN-Azure: sending SNMP tunnel DOWN trap for VPN-Azure-MGMT
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sending delete ack
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: enc 0000000C0304000114A55E4603020103
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: out 4B56657B5863A22269AD09FB52CA12232E2025200000026F000000482A00002CFD94B85D2F62ECFAFF2A1DAD36F235CD87C6769B4D4E96A3C7DF2EBE86B41B79AB21FB7776C5E600
2016-06-09 08:37:38 ike 1:VPN-Azure:602817: sent IKE msg (INFORMATIONAL_RESPONSE): our.external.vpn.ip:500->azure.external.ip.adress:500, len=72, id=4b56657b5863a222/69ad09fb52ca1223:0000026f
2016-06-09 08:37:39 ike 1:VPN-Azure: link is idle 36 our.external.vpn.ip->azure.external.ip.adress:0 dpd=1 seqno=350e
Phase2 selectors
edit "VPN-Azure-Servers1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet azure.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.mgmt.network 255.255.254.0
next
edit "VPN-Azure-Servers2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-MGMT-SRV1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers1-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet azure.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers2-SRV1"
set phase1name "VPN-Azure"
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet azure.server1.network 255.255.254.0
next
end
Hello,
Have you followed the guidelines as mentioned by azure listed at:
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
The IKEv2 config mentions no life time based upon KB, while it's configured on your FG.
Can you also post your phase 1 config?
MrSinners wrote:Yeah, i put those in because i've seen them on other topics/blogs about Fortigate/Azure vpn connections;.Hello,
Have you followed the guidelines as mentioned by azure listed at:
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
The IKEv2 config mentions no life time based upon KB, while it's configured on your FG.
Can you also post your phase 1 config?
Phase1
edit "VPN-Azure"
set interface "port26"
set ike-version 2
set nattraversal disable
set keylife 10800
set proposal aes256-sha256 3des-sha256
set dhgrp 2
set remote-gw azure.external.ip.adress
set psksecret ENC supersecret
next
Modified the Phase2 selectors:
edit "VPN-Azure-Servers1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet external.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet external.mgmt.network 255.255.254.0
next
edit "VPN-Azure-Servers2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet external.server2.network 255.255.252.0
next
edit "VPN-Azure-MGMT-SRV1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet external.server1.network 255.255.254.0
next
edit "VPN-Azure-MGMT-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.mgmt.network 255.255.254.0
set dst-subnet external.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers1-SRV2"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set dhgrp 5 2 1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.server1.network 255.255.254.0
set dst-subnet external.server2.network 255.255.252.0
next
edit "VPN-Azure-Servers2-SRV1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet internal.server2.network 255.255.252.0
set dst-subnet external.server1.network 255.255.254.0
next
Hhmm it seems that with auto-negotiote on, keep alive is working just fine.
Hi tuumke,
I don't understand if you have solved the problem, because I have the same one. It seems to be started after NAT-TRAVERSAL abilitation (my fortigate is behaind a NAT). So the VPN worked fine with NAT-T disabled. After the change I see p2 delete every 5 minutes. Now I have disable againg NAT-T, but p2 delete every 5 minutes is continuing.
NSE 7
Do you have a debug log?
ike 3: comes 40.x.x.x:500->10.x.x.x:500,ifindex=74....
ike 3: IKEv2 exchange=INFORMATIONAL id=557ac6441c683ae3/2dbe80f94b78ea8f:00000021 len=76
ike 3: in 557AC6441C683AE32DBE80F94B78EA8F2E202500000000210000004C2A000030E86CE54C732065
ike 3:VPN_Azure_Coll:22945: dec 557AC6441C683AE32DBE80F94B78EA8F2E202500000000210000002C
ike 3:VPN_Azure_Coll:22945: received informational request ike 3:VPN_Azure_Coll:22945: processing delete request (proto 3)
ike 3:VPN_Azure_Coll: deleting IPsec SA with SPI 44a9e206 ike 3:VPN_Azure_Coll:VPN_Azure_p2.1: deleted IPsec SA with SPI 44a9e206, SA count: 0
ike 3:VPN_Azure_Coll: sending SNMP tunnel DOWN trap for VPN_Azure_p2.1 ike 3:VPN_Azure_Coll:22945: sending delete ack
These messages appear exactly every 5 minutes for each phase2 selector. I've 12 phase2 for each network source/dest combination.
NSE 7
And a output of the phase1 and phase2 config?
Hi, in the meantime I've found a solution. I've removed all phase2 and created a new one with no selector. Now it works fine. All the networks in Azure cloud are selected by routing. The networks on premise are setted in Azure cloud.
config vpn ipsec phase1-interface
edit "VPN_Azure_Coll"
set interface "VSInt_to_VSExtC"
set ike-version 2
set nattraversal disable
set dhgrp 2
set keylife 10800
set proposal aes256-sha1
set remote-gw 40.x.x.x
set psksecret ENC xxxxxxxxxxxxxxx
next
end
config vpn ipsec phase2-interface
edit "VPN_Azure_p2"
set auto-negotiate enable
set keepalive enable
set pfs disable
set phase1name "VPN_Azure_Coll"
set proposal aes128-sha1
set keylifeseconds 3600
next
end
NSE 7
config vpn ipsec phase1-interface
edit "VPN-Azure"
set interface "port26"
set ike-version 2
set nattraversal disable
set keylife 10800
set proposal aes256-sha256 3des-sha256
set dhgrp 2
set remote-gw x.x.x.x
set psksecret ENC SUPERSECRETSTUFF
next
end
config vpn ipsec phase2-interface
edit "VPN-Azure-DMZ1"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 10./23subnet-local
set dst-subnet 10./23subnet-remote
next
end
The only difference seems to be the Phase1 and Phase2 proposal?
I thought i remebered that FortiGate has troubles connecting larger networks? So for each internal network, we make a phase 2 connector to the remote subnets.
Lets say we have:
Local Management 10.10.20.0/23
Local Server 10.10.40.0/23
Remote Management 10.50.20.0/23
Remote Server 10.50.40.0/23
Then i would create:
config vpn ipsec phase2-interface
edit "VPN-Azure-MGMT-to-MGMT"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 10.10.20.0 255.255.254.0
set dst-subnet 10.50.20.0 255.255.254.0
next
edit "VPN-Azure-MGMT-to-Server"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 10.10.20.0 255.255.254.0
set dst-subnet 10.50.40.0 255.255.254.0
next
edit "VPN-Azure-Server-to-Server"
set phase1name "VPN-Azure"
set proposal aes256-sha1
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 10.10.40.0 255.255.254.0
set dst-subnet 10.50.40.0 255.255.254.0
next
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.