I have a FGT40F (behind NAT) at a remote office and a FGT61F at my home office with an IPsec tunnel between them. Both were on 7.4.3 and all good. I updated the 40F to 7.4.4 and now the IPsec VPN will not connect. I rebooted both ends and tried to enter a new key and still no luck.
I then rolled the 40F back to 7.4.3 and loaded the config back onto it and it still won't connect. I've read about a new FW version changing something that affects VPN but I have not been able to tie that to my situation.
Thanks for any help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello rfs3pa,
Could you have a look at this article to see if you are missing any configuration?
Hi @rfs3pa
Have you tried to run some debug commands:
diagnose vpn ike log-filter dst-addr4 <destination-IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
diagnose vpn ike gateway list name <tunnel-name>
I ran a packet capture from the remote office unit (the one behind NAT), and I see traffic flowing both directions on port 500 between it and the home office. I ran diagnose debug application ike -1 on both Fortis.
On the home office output there is no mention at all of the tunnel to the remote office.
On the remote office I am seeing this:
ike V=root:0:HomeOffice:659: initiator: main mode get 1st response...
ike V=root:0:HomeOffice:659: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike V=root:0:HomeOffice:659: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike V=root:0:HomeOffice:659: DPD negotiated
ike V=root:0:HomeOffice:659: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike V=root:0:HomeOffice:659: peer is FortiGate/FortiOS (v0 b0)
ike V=root:0:HomeOffice:659: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:HomeOffice:659: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike V=root:0:HomeOffice:659: selected NAT-T version: RFC 3947
ike V=root:0:HomeOffice:659: negotiation result
ike V=root:0:HomeOffice:659: proposal id = 1:
ike V=root:0:HomeOffice:659: protocol id = ISAKMP:
ike V=root:0:HomeOffice:659: trans_id = KEY_IKE.
ike V=root:0:HomeOffice:659: encapsulation = IKE/none
ike V=root:0:HomeOffice:659: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike V=root:0:HomeOffice:659: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike V=root:0:HomeOffice:659: type=AUTH_METHOD, val=PRESHARED_KEY.
ike V=root:0:HomeOffice:659: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:HomeOffice:659: ISAKMP SA lifetime=86400
ike 0:HomeOffice:659: out 09C0BDE7F582406B5B564FC5181341D804100200000000000000017C0A000104671E8AB3278439569BF0B6E5ABBB5558DB5F95FA2D5BE059B1E76797D056F303A737B45EA975A565E7663DC446DC29CB620CB3F933F9EF7467084521684F970951D2D6B941D1FD1F3B10617CF011E8493868EA622E53E499A2072E3128F981C78873A13786DAE8ABE211859DBEFCA32C82D7D35D23A46D05A2E1C9033E8BB263ADAA463726EB99E617CB8BBB698071A1FAB0820F0F57DC8B4A5C3883F361ECAC21ED81549FEF47036EFC8CD071982EB1E87E1BA15A6EBEE97AB9E9B745C97A3AAC4525786343C233E49BC1B1064A57041E0F224A97671D457C9DF35DDA73C428E1ECB7E4EBCB198988B6BD0B31F8EDB2FCE48692790EC2984389669063A0E8FE14000014F820E4AD5705EE7FCB8E10ED484D36FD14000024647608ABEF9A0B8038453E50A938467A534D578598444E12DCE0E3F2348C33A6000000248EF72A3FEBE5CE409626F68D8FA21A6C0C3E85FA147F47C9ADF0CA8C3BBF6079
ike V=root:0:HomeOffice:659: sent IKE msg (ident_i2send): 192.168.21.64:500->24.238.61.57:500, len=380, vrf=0, id=09c0bde7f582406b/5b564fc5181341d8
ike V=root:0: comes 24.238.61.57:500->192.168.21.64:500,ifindex=5,vrf=0,len=380....
ike V=root:0: IKEv1 exchange=Identity Protection id=09c0bde7f582406b/5b564fc5181341d8 len=380 vrf=0
ike 0: in 09C0BDE7F582406B5B564FC5181341D804100200000000000000017C0A000104D15E9B1849A4BF274821A2E2554E21E20EB30941476E9F6192B69294A3465EC1C574579F6A892C7C6A9A83B77F1D1879EE92FAF33516815D284BDD8968D4D9FC4A42A2617C79AFD2512BAE22FB2EDEBB1E0C49CECFC4D1700F9BB2F2D5972F38983F46878D244923A59774BB6F50A8B9885FDCC1FAF87254EA1E943188F9BA1E648E3D35193E3C1606880C1F0DE415C6A709FBFCA1A094ADBAA0AE634B2A29CB125FAC84270A2BE77BB334C904A50835F6EB608ABEB7EA2D68639CE70511A1C9523AED428C242EA7D991AA2DB7984A1B50A680FFAA1484D89D8C69F732A94E1C1E4112D3F166462194202DD1E717DB3F354F88D7C25B787EC3918261922A261D14000014245469C096691BA7A9B6CD3C8A1025F5140000247A186C51DD4E158A5CFB026554648B54D09F70AF7C7DB5D8AC1AE04F574863FF00000024647608ABEF9A0B8038453E50A938467A534D578598444E12DCE0E3F2348C33A6
Hello rfs3pa,
It looks like it is matching phase1 proposals but it is not getting past that. Could you take a screenshot of you VPN configuration? It may be related to the xAuth and phase2 selectors being used.
Here is the screen from the Home Office Forti. Let me know if you want to see any other sections.
d
You need to share remote office config as well.
Thanks
Here is the remote office
Hello rfs3pa,
Could you have a look at this article to see if you are missing any configuration?
Thanks so much for that! I had two DH groups and guess when I upgraded FW I really should have only had one.
FortiOS 7.4.4 introduced some changes related to VPN, including stricter handling of NAT-T (NAT Traversal) and new IPsec settings.
These might be causing issues with your tunnel, especially since one of your FortiGates is behind NAT. Make sure that NAT-T is enabled on both ends of the tunnel.
When you rolled back to 7.4.3, you may have restored the config, but certain settings from 7.4.4 could have affected the tunnel. Double-check the following:
Ensure that the encryption algorithms, Diffie-Hellman groups, and key lifetimes match on both sides.
Verify that the local and remote subnets are still correctly defined and matching on both firewalls.
Ensure both FortiGates are using the same IKE version (either IKEv1 or IKEv2).
Run debugging commands to check what’s failing in the IPsec negotiation:
On the 40F, run:
diagnose vpn ike log-filter addr <remote IP>
diagnose debug application ike -1
diagnose debug enable
Check the output for any error messages or clues, especially around the IKE negotiation process.
Even after rolling back, there might be some residual settings from 7.4.4 causing issues.
You could try to manually re-enter the IPsec settings (instead of restoring the config) and make sure everything is set correctly for 7.4.3 compatibility.
If you're still on 7.4.3 on the 61F, consider updating both FortiGates to the same firmware version (7.4.4 or 7.4.5).
This can sometimes resolve compatibility issues that appear when different versions are used.
Since the 40F is behind NAT, ensure that the NAT policy is configured correctly.
In some cases, FortiOS changes to NAT handling can break VPN connections, so confirming that NAT-T and the relevant NAT policies are correct is important.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.