Hi guys,
I would be interested in what is the best/most reliable way to ensure that traffic is sent into an IPsec tunnel.
I.e. if I can see outgoing Traffic within the IPsec Monitor and I also see packets when starting a packet caputre on the VPN tunnel - does that confirm that the traffic is sent trough the tunnel?
Is there any (better) option to confirm this?
Best regards
cust0m
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
yes its daddr and saddr of course. Sorry for that one ;>
yes if you see "enter IPsec interface-..." in the output of flow debug that means the traffic has entered the tunnel and you would have to look at the opposite end of the tunnel where it goes to when it leaves the tunnel again if needed :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You can also diag sniffer packet <phase1 tunnel name> and see traffic in the tunnel also. Might be easier in some case than debug flow
Ken Felix
PCNSE
NSE
StrongSwan
do a flow debug to monitor traffic on the FGT:
diag debug ena
diag debug flow filter clear
diag debug flow filter dst <destination ip>
diag debug flow filter src <source ip>
diag debug flow trace start <numberofpackets>
then create some traffic that should flow from <source ip> to <destination ip> over the vpn to see what happens to your packets.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi, thanks for the suggestion!
For version 6.0.8, I had to change "dst" to "daddr" and "src" to "saddr" in order to not get a syntax error. The other commands worked. Within the log output, I could see the message "enter IPsec interface-<name>". So from my point of view that confirms that the traffic is sent trough the tunnel!?
Best Regards cust0m
yes its daddr and saddr of course. Sorry for that one ;>
yes if you see "enter IPsec interface-..." in the output of flow debug that means the traffic has entered the tunnel and you would have to look at the opposite end of the tunnel where it goes to when it leaves the tunnel again if needed :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you very much for your help - we will look at the opposite end of the tunnel. That means trying to get the tunnel working together with our customer :)
You can also diag sniffer packet <phase1 tunnel name> and see traffic in the tunnel also. Might be easier in some case than debug flow
Ken Felix
PCNSE
NSE
StrongSwan
Thanks, looks like a very simple solution and works great :) Let's say I'm trying to ping from 192.168.1.1 to 10.0.0.1 (no NAT involved) and I start the sniffer on the IPsec interface. Is it guaranteed that the traffic is sent over the tunnel, If I see the ICMP request from 192.168.1.1 to 10.0.0.1 within the output of the sniffer?
Best Regards cust0m
Will if you selected the ipsec-tunnel interface than yes that will ensure it was entering the tunnel. If you selected the far-end device ( assuming it's a fgt ) it would ensure it was received in it's tunnel interface.
Ken Felix
PCNSE
NSE
StrongSwan
OK thanks, I see.
In that case it was Fortigate to another vendor, so I think checking if the traffic is sent over the tunnel might be the most of what I can do.
Best Regards cust0m
Also "diag vpn tunnel list" will show you enc/dec pkts and bytes that alos can confirm the tunnel is up and accepting traffic
Just food for thought
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1086 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.