Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Blackghost
New Contributor

Fortigate Strongswan IkeV2 Phase 2 Rekey

Hallo,

 

I have a problem in phase 2 with rekeying.

 

I have 7 location and my home office, at the location i have 2 30B v4.0,build0665,  3 80c v5.0,build0310, 1 60d v5.0,build0310 and 1 100D v5.0,build4429, at home i have a Server with Strongswan 4.5.2.

 

between the 100d and Strongswan is a static tunnel, the other Forti's are configured as responder and strongswan as initiator.

The keylifetime is 1800s, after this time the 100D delete child_sa and phase 2 ist down, but phase2 don't come up.

 

at the other location's i have a simular problem after rekeying in phase 2, i see phase 2 is up on both sites, when i ping a host, i don't get a answer. The package pass the tunnel and go to the host, the host send an answer, this package go in the tunnel interface from the forti, at home i don't see this package on the lan-interface from my Server. Strongswan is configured with inactivity option (300s). After 300s phase2 go down. if i ping a host, i get an answer.

 

Does anyone have experience with Forti and Strongswan?

 

Thanks

 

Sorry but my english is not the best.

1 Solution
emnoc
Esteemed Contributor III

Care to share the fgt and swan cfg? Do a search in the forum for a FGT-2-SSwan cfg  by myself or search google at my blogspot

 

[link]https://forum.fortinet.com/tm.aspx?m=118799[/link]

http://socpuppet.blogspot...-trouble-shooting.html

 

For rekeying make sure all matches for proxy-ids time values. You can use the defacto 1 hour ( 3600 secs ) and that should do fine.

 

TIPS:

 

Also remember you have a packet sniffer on linux and fortigates, so you could start with tcpdump of the traffic over the ipsec virtual interface when your pinging the far end from either end  and see if packets are actually be encrypted and decrypted.

 

If you don't have match SPIs for  ( my out === my far side in  and vice-versa ), than expect no traffic to ne encrypted and decrypted.

 

Disable PFS if you believe it's any issue on both side, but this should not be required

 

And lastly be careful of earlier  linux kernel release and ikev2. I believe I seen problems with 2.2 and 2.4 kernels

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
3 REPLIES 3
emnoc
Esteemed Contributor III

Care to share the fgt and swan cfg? Do a search in the forum for a FGT-2-SSwan cfg  by myself or search google at my blogspot

 

[link]https://forum.fortinet.com/tm.aspx?m=118799[/link]

http://socpuppet.blogspot...-trouble-shooting.html

 

For rekeying make sure all matches for proxy-ids time values. You can use the defacto 1 hour ( 3600 secs ) and that should do fine.

 

TIPS:

 

Also remember you have a packet sniffer on linux and fortigates, so you could start with tcpdump of the traffic over the ipsec virtual interface when your pinging the far end from either end  and see if packets are actually be encrypted and decrypted.

 

If you don't have match SPIs for  ( my out === my far side in  and vice-versa ), than expect no traffic to ne encrypted and decrypted.

 

Disable PFS if you believe it's any issue on both side, but this should not be required

 

And lastly be careful of earlier  linux kernel release and ikev2. I believe I seen problems with 2.2 and 2.4 kernels

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Blackghost
New Contributor

Hallo,

 

Thank you,

 

The problem with the 100D was, the name of the tunnel-interface was to long..

 

the rekeying problem, was a problem with multiple subnets.

 

for example the FGT has on Port1 the subnet 192.168.1.0/24, vlan5 10.1.1.0/24 and Vlan10 172.16.1.0/24

Phase2 is configured with src-subnet 0.0.0.0/0.0.0.0 and strongswan is configured rightsubnet=192.168.1.0/24,10.1.1.0/24,10.1.1.0/24 and route option.

 

If i ping a host in the subnet 192.168.1.0724 the tunnel cames up, the FGT associate the spi with this subnet. After a few minutes i work in a other subnet 10.1.1.0/24. Then the rekeying is over i see the package come out of the tunnel interface but does not go in the lan or vlan interface.

 

I used ikev2, the man page i read that ikev2 supports multiple subnets, i think the problem is the route option.

 

 i configured in strongswan for any subnet an seperate connection.

conn F100

right= xxx.xxx.xxx.xxx

conn F100-1

also=F100

rightsubnet=192.168.1.0/24

conn F100-2

also=F100

rightsubnet=10.1.1.0/24

...

 

and now everything is fine

emnoc
Esteemed Contributor III

Yes, the local and remote subnets ( left/right ) needs to match for the proxy-ids. Only when your engaged with a juniper or another fortigate can you use 0.0.0.0/0:0 for left and right

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors