Forticlient: Debug IPSEC

yuresh · ‎01-24-2024

Hello!

Is it really not possible to debug an IPSEC connection in the Forticlient? I am trying to establish a temporary connection to a cywall. The debigging possibilities of the Zywall are unfortunately also limited (or I can't find them) - so everything I get out of it is a "Phase 2 mismatch".

Best regards

https://vlc.onl/

syordanov · ‎01-24-2024

Dear yuresh,

It's possible to debug your IPsec tunnel, my suggestion is to the check the KB bellow :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-IPsec-iked-debug-logs/ta-p/2...

Before doing a debug, my recommendation is to disable the offloading of your IPsec :

config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
end

And then run the IKE debug :

diagnose debug reset
diagnose debug app ike -1
diagnose debug console timestamp enable
diagnose debug enable

Regards,

Fortinet

.

sw2090 · ‎01-24-2024

Well IPSec debugging is a pain in the a*** by default. And that is not a fault of fortinet Its the same wherever you do ipsec :(

You don't get clear error msgs at all.

Also the ike debug log does only log ipsec phase1 but not phase2 at all.

So if it fails during phase2 you won't see it here...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

syordanov · ‎01-24-2024

Hello,

With proposed debugs you can see phase-1/phase-2 negotiation and received proposal from remote peer. Please refer to the KB bellow :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-IPsec-iked-debug-logs/ta-p/2...

Regards,

Fortinet

.

hbac · ‎01-24-2024

Hi @yuresh,

To enable debug on the FortiClient, please refer to https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-enable-debug-log-in-FortiClient/t...

Regards,

Forticlient: Debug IPSEC

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website