Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC problem
Hi
i have a problem with vpn between 2 fortigate
site A is a fortigate 100A 4.0 MR3 patch 15
site B is a fortigate 50B 4.0 MR3 patch 15
After 16 hour vpn stop responding, i lose ping until restarting fortigate 50B (site B)
Bring down-bring up vpn from web interface in both site don' t resolve the problem.
After restarting, during day, vpn work well, without any lost packet. The problem occour always during night, when there are not active connection in site B.
Site A is the head office, and are connected other ipsec with the same configurations as site B, that works without problems.
IPSEc is policy based configuration:
In both site A and site B vpn are configured with these paramenters:
PHASE 1
MODE: main
Encryption: AES128/MD5 - AES128/SHA1 - DES/MD5
Dh group: 2
Key life: 28800 seconds
XAUTH: disabled
Dead Peer Detection: Enabled
PHASE 2
Encryption: AES128/MD5 - AES128/SHA1
Enable repaly detection: disabled
Enable perfect forward secrecy: enabled
DH Group: 2
Keylife: 28800 seconds
Autokey Keep Alive: enabled
Quick mode selector:
on site A: soure 0.0.0.0/0 destination: 192.168.3.0/24
on site B: soure 192.168.3.0/24 destination: 0.0.0.0/0
Policy:
site A: source (all vlan in site A) destination (lan site B: 192.168.3.0/24) Action IPSEC
site B: source (lan site B: 192.168.3.0/24) destination (vlan in site A) Action IPSEC
Log on site B whe the problem occurred: I found these line
msg=" delete IPsec phase 2 SA" action=" delete_ipsec_sa"
msg=" delete IPsec phase 1 SA" action=" delete_phase1_sa"
What can I try to resolve the problem?
Thanks
Andrea
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I would do before resetting anything, I would execute the diag sniffer packet command and specify ports 500 or 4500 between the 2 vpn peers. See if IKE or even ESP is being passed
Qs:
Have you ensure that NAT is not an issues and if any NAT-transversal timeout?
execution of diag vpn ike gateway will provide details on if IKE std or NAT-T extension is being used
Next, have you ensure that DPD is actively being used?
Once again execution of the diag vpn ike gateway cmd, will provide details on DPD and counters and you can monitor the interval
I would also issues the diag debug app ike -1 when all stops and to try to identify what side is causing the issues.
You can use my link at the following blog for L2L vpn t-shooting.
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer
I try to execute diag vpn ike gateway:
On site B i have
vd: root/0
name: Montecchio
version: 1
interface: wan1 5
addr: 172.16.10.2:500 -> public ip site A:500
created: 24652s ago
IKE SA: created 1/1 established 1/1 time 6340/6340/6340 ms
IPsec SA: created 1/1 established 1/1 time 140/140/140 ms
id/spi: 0 3b4a487011db8c3a/2e520d79e9b7fe32
direction: initiator
status: established 24652-24646s ago = 6340ms
proposal: aes128-md5
key: 8f547fadea7ff48d-191e45bed97c224c
lifetime/rekey: 28800/3853
DPD sent/recv: 00000000/00000000
On site A:
vd: root/0
name: Spagna
version: 1
interface: wan1 2
addr: public IP site A:500 -> public IP site B:500
created: 24712s ago
IKE SA: created 1/2 established 1/1 time 250/250/250 ms
IPsec SA: created 1/2 established 1/1 time 120/120/120 ms
id/spi: 1108 3b4a487011db8c3a/2e520d79e9b7fe32
direction: responder
status: established 24700-24700s ago = 250ms
proposal: aes128-md5
key: 8f547fadea7ff48d-191e45bed97c224c
lifetime/rekey: 28800/3829
DPD sent/recv: 00000000/00000000
Vpn restart this morning.
the DPD is showing 0000000/0000000, for other vpn is enhanced
Can be DPD issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That could be a big issue. I would enable dpd on the policy and use ikev2
e.g
edit Montecchio
set dpd enable
set dpd-retryinterval 20
end
I also rfc1918 address but is this output sanitized? Or are you using NAT anywhere on the peer-vpn src address?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mmmm... I don' t understand very well
In site A fortigate has public ip and connect to site B to public IP
In site B, public ip is on provider' s router.
Fortigate is connected to this router with wan port configured like " internal" for provider' s router.
Wan1 in fortigate is 172.16.10.2 that is internal lan of provider' s router.
To do this in fortigate, I also configured a static route from 0.0.0.0/0 to 172.16.10.1 (provider' s router, that is gateway)
On this router I configure port forwarding rules from any to fortigate, port 500 and 4500 udp.
No NAT configured in policy rules in both sites. In policy rule is configured allow inbound and allow outbound
No NAT Traversal configured
DPD is enabled on both fortigate!!
Maybe provider router issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your being NAT' than you need to enable NAT-T and possible adjust any Nat timeouts. Do you have NAT-T enabled?
set nattraversal enable
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
enabled nat traversal but DPD won' t work.
I recreate phase 1 and phase 2 and policy too.
The strange thing is that with other vpn site, with identical firewall (fortigate 50B) and configurations, i have no problems.
I think that the problem is the provider router. I have to check with another router.