Hi have a 40F with a new IPsec VPN configured.
The tunnel is not up and the sniffer shows no traffic going to the internet to the tunnel DID.
The tunnel setup traffic e.g. IKE would be originated by the 40F itself.
Do I need a policy entry to allow this traffic out?
Thanks.....
Hello slouw,
Yes, you typically need a policy entry to permit IPSec underlay traffic to connect, specifically allowing the traffic necessary for the establishment and maintenance of the VPN tunnel.
Hope the below document guide helps:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/520377/ipsec-vpns
Regards,
Shilpa C.P
Thanks @Shilpa1
I see in your link here:
VPN > IPSec VPNs > General IPSec VON Config > Blocking Unwanted IKE/ESP Packets
That I presume you agree is not what I need?
If I were to create a policy rule what source interface should I specify?
Hello slouw,
You can check with the sniffer command if ESP packets are leaving the FGT itself. If you have NAT-T disabled you should be able to capture the traffic with the below command:
diag sniffer packet any "port 500" 4 0 l
In case you have multiple tunnels you can also add the remote gw ip as a filter in the sniffer
e.g diag sniffer packet any "host x.x.x.x and port 500" 4 0 l.
If you see only "out" packets but no "in" run the same sniffer on the remote side and check if anything is being received on the remote side.
IKE debug on both sides should show relevant information also:
diagnose vpn ike log-filter dst-addr4 <Remote-GW>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
NOTE:
Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
Hope this can be of help.
Thanks I ran a sniffer trace and I am satisfied no IKE messages are being initiated.
I must have configured the tunnel incorrectly but not sure how.
Here is the tunnel config.
I can ping the far end underlay address from the CLI.
The wan interface is internet facing.
I need to work out what policy rule would work see post above...
FG40-Lab-6954S (pri_bms) # show
config system interface
edit "pri_bms"
set vdom "FG-traffic"
set vrf 1
set ip 10.4.10.34 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.4.10.1 255.255.255.0
set snmp-index 17
set interface "wan"
next
end
Hi @slouw,
If the tunnel is not up, you need to run ike debug as mentioned by ezhupa. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.