Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: IPsec Tunnels spinning and spinning
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec Tunnels spinning and spinning
I am building VPNs to Rackspace CO-LOs from all of our Fortigates, we have 100e's and 30e's depending on facility size.
I created our end of the tunnel this evening on a Fortigate 30e. I did what I usually do, Run the wizard for the setup and then choose convert to custom to change the phase 1 and 2 settings as needed. When I finished the wizard and clicked on the IPSec Tunnels menu under VPN, I get the green spinning thing. It just spins for eternity. I did 'get vpn ipsec tunnel summary" and I can see my Tunnel there. a.) anyone have any idea why the thinking wheel just keeps spinning? more importantly, is there a doc somewhere that I can read how to use CLI to change the local subnet in phase 2. Its listed as 192.168.2.0/24 and it needs to be 192.168.4.0/22.
I want to learn the commands to see the contents of each phase and the syntax to make the change I need to make.
Any Document that could teach me CLI syntax would be awesome.
As would any specific help with aforementioned issues
this is the result of "diagnose vpn tunnel list" ------------------------------------------------------ name=rackspace ver=1 serial=1 104.137.186.200:0->161.47.114.90:0 bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=11 ilast=5 olast=5 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=rackspace proto=0 sa=0 ref=1 serial=1 src: 0:192.168.1.0/255.255.255.0:0 [style="background-color: #ffff00;"]dst: 0:192.168.2.0/255.255.255.0:0 [style="background-color: #ffffff;"] This is the line I need to change... if I could just change this to 192.168.4.0/22... I think the tunnel would at least be up.[/style][/style]
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure about the spinning thing, what version are you on?
I usually look thorough the config file if I need to find where to config stuff in the CLI that I haven't done before:
So for the Phase 2:
config vpn ipsec phase2-interface edit "YourTunnelName" set phase1name "YourPhase1Tunnel" set proposal aes256-sha1 set dhgrp 20 set auto-negotiate enable set keylifeseconds 3600 set src-subnet 192.168.4.0 255.255.252.0 set dst-subnet 192.168.20.0 255.255.255.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
awesome thanks. im using 6.0.2 on a FG 30e
how do i go view the config file? That's really good advice and universally helpful for anything.
is there a CLI version of ls I can use to see config files?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our configs gets backed up by Solarwinds Config Manager, but you can grab one through the web UI as per the attached screenshot
Download it and open with a txt editor. Do not encrypt the file or else you can't open it
You should be able to SSH to your management IP if it has been enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nm
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get a full config file, just download from your GUI...
Go to the main Dashboard screen and on the top right, click on "admin" (or whatever the username is that you logged in with). Click Configuration => Backup. Select Local PC and click OK.
This will save a text config file that you can open in any text editor.
To view the phase 2 config in CLI once changed...
# show vpn ipsec phase2-interface
If it hasn't changed, you have to enter "next" after making your change in CLI followed by "end".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want a full text config that includes all the default settings, from the CLI, enter...
# show full-configuration
This will dump out something quite large. Make sure you have plenty of scroll-back buffer in your console, or use something like putty that can dump that full output straight to a text file.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one final question.
Since the GUI is worthless for VPN right now, how do I check if the ipsec tunnel is up in CLI?
Also, it seems i need to create a static route because the vpn says up in the monitor but I Cant ping the server through the vpn, theres something you can do where you can do a debug where I can ping the other side of the vpn from a local workstation and watch the route it takes trying to get out in the debug. Anyone know what that debugger is called? or what commands to use?
Then im done. :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it says up under the monitor tab it should be up. Usually the IPSEC VPN setup adds the static route for you, but you can double check that under your static routes.
Then it could just be an case of the rules not allowing ICMP... does your firewall policy for the VPN tunnel allow all traffic? And what about the other side, also allowing all or at least ICMP?
I usually lock down the tunnels to whatever ports are needed, and ICMP as per the screenshot on the IPSEC firewall policy, SQL traffic and ICMP only for that one
Follow commands form this to troubleshoot ipsc issues in the cli:
https://help.fortinet.com...ng/Troubleshooting.htm
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i had to write a static route on the other 30e with a tunnel to the same place, why I asked.
remember the monitor in the gui is only visible half the time, so I cant even use that to check if its up half the time, thats why im asking about the CLI, my company is too cheap to renew the support license, so the spinning in ipsec monitor and tunnels has to fix it itself.
Either way. Thanks for the advice Ill check it out.
Id still like to know the debugging trick the guy showed me earlier for watching the packets route in real time.
night all, thanks
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Virtual Server with Exchange OnPrem with... 142 Views
- AWS/Fortigate. Placing Website's admin panel behind... 707 Views
- SW-WAN Rules failed to save changes 3613 Views
- FortiGate cluster - status: Not Synchronized 2402 Views
- SSL-VPN with split tunneling mode 845 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.