Hi, I am not able to see any incoming ESP packet when running a packet capture in FortiGate. The tunnel is UP and running, everything is working find, but if I check the traffic, I just can see outgoing ESP packets but not incoming ones. I have a lot of FortiGates devices and same happens in all of them. Am I missing something? Thanks?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, are you specifying the right interface ? If you do the following
diag sniffer packet any "src host x.x.x.x and proto 50" where x.x.x.x is the remote-gateway ?
And lastly confirm the exact remote-gw ipv4 address is correct.
Ken Felix
PCNSE
NSE
StrongSwan
Or, are you sure it's not encapsulated in UDP 4500 because of NAT traversal? Just sniff everything against the remote-gw IP first.
I have found the reason, it was due to acceleration. After disabling the acceleration in the phase1-Interface, I can see now traffic flowing in both directions.
config vpn ipsec phase1/phase1-interface edit "vpn_name" set npu-offload enable/disable next end
You should be able to see them by just disabling "auto-asic-offload" on the policies without disabling it on the IPsec/phase1. Just don't forget to re-enabling when you're done debugging.
The thing is that I wanted to check the traffic between my FortiGate and AWS gateway, because the BGP session was not comming up. The traffic was between the FortiGate iself, and AWS remote Gateway, so the traffic was not maching any rule as far I know.
We have an IPsec between FGT and AWS for a customer, and running BGP over it. I can sniff BGP (TCP 179) exchanges with offloading enabled. I think it's because it's destined to FGT itself so it has to come out of NPU unlike passing-through traffic, which gets out of the egress interface only through NPU.
Yes, after some time I did realize that the tunnel was working fine (it was a BGP configuration issue) and I was able to sniffer the traffic going through the tunnel. I was just shocked after seeing that everything was working fine when fixed the BGP issue, but I was still unable to see ESP packets coming from the AWS public IP. Somehow the FortiGate just shows the outgoing ESP packets but not the incoming ESP packets when offloading is enabled.
Anyway, thank you very much for answers and information :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.