Fortigate 100F ipsec between 2

supercato · ‎10-14-2024

Hi

I have a strange bug, i have two fortigate f100 with ipsec connection up and runing, I have sslvpn on one ot then allowing me access to the other side. I can ping all the vms on both side from ssl vpn, I can ping "somes" VM between sites through ipsec. But I have 3 of them 2 Sice a and 1 side b, that I cannot ping through ipsec ( they are pignable from SSL VPN only ) .

I'm new in this forti brand, any tip will be great.

thank you

supercato · ‎10-16-2024

id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0002f649, original direction"
id=20085 trace_id=20 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSEC-ED, tun_id=0.0.0.0"
id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

wmichael · ‎10-16-2024

id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

Check the phase2 selectors on the IPSEC-ED tunnel. Make sure all subnets that need to communicate are allowed.

supercato · ‎10-16-2024

remote site A shows this on debug,. and dont stop scrolling ( I shutdown 102, but nothing changed)

wmichael · ‎10-16-2024

You have to type "diag debug disable" to stop it, and "diag debug reset" to stop all debugs.
It's also showing all the traffic is allowed but is all in the original direction, there is no reply.

I think the issue is the phase2 on remote site B

supercato · ‎10-16-2024

check this, it is normal to have to two ipsec tunnel , one with _0

johnathan · ‎10-16-2024

Yep, the tunnel is probably a dialup / dynamic. See: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/239039/dynamic-tunnel-interface-creatio...

"Never trust a computer you can't throw out a window."

supercato · ‎10-16-2024

checking the session list I found this

ofld_fail_reason(kernel, drv): not-established/not-established, IPSec-enc-SA-not-offloaded(6)/IPsec-dec-SA-not-offloaded(7)
npu_state_err=04/04

wmichael · ‎10-18-2024

That message is indicating that the session is not being offloaded.

https://docs.fortinet.com/document/fortigate/7.6.0/hardware-acceleration/734139/diagnose-sys-session...

not-established A TCP session is not in its established state (proto_state=01).

IPsec-enc-SA-not-offloaded

The option npu-offload is disabled in the IPsec Phase 1 or Phase 1 interface configuration that accepted the session. This reason can also appear if the SA cannot be offloaded.

supercato · ‎10-21-2024

Well finally got this working, it was so easy .... NAT !

I need NAt enabled on one policy only on both sides! ( ipsec->lan ) , now the system are replying whitout problem. Fortinet support found that!

wmichael · ‎10-21-2024

That's great to hear. With NAT enabled on the policies the traffic must be matching phase2 of the tunnel now.

Fortigate 100F ipsec between 2

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website