Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jpereira
New Contributor

IPsec VPN - Interface Mode Tunnel Up but No Traffic Passing

I am having some trouble getting an Interface mode VPN up and running. At the current time the tunnel is showing as up but we are not able to pass any traffic over the tunnel. I have double checked the policies on both units and I have 1 for inbound and 1 for outbound on each unit and I have also tried with NAT disabled and enabled. I have also verified that I have static routes in place to go over the tunnel. I am trying to create the tunnel between a FGT 60 and a FGT 80CM - both are running on 3.0 MR7 We were able to get things up and running as Policy based but I need them to be Route based.
7 REPLIES 7
Rick_H
New Contributor III

Did you look in your logs to make sure both P1 and P2 are coming up? If I remember correctly the tunnel will show " up" in the monitor once P1 passes without waiting for P2 to be fully up. If P2 isn' t coming up then double check your subnets designated for interesting traffic and whatever you have set for your P2 SA proposal.
jpereira
New Contributor

I brought the tunnel down and then back up and this is what my logs are showing. How can I know if it is P1 or P2 ? 1 2013-07-08 16:31:58 notice negotiate Initiator: tunnel 206.111.198.2, transform=ESP_3DES, HMAC_SHA1 2 2013-07-08 16:31:58 notice negotiate Initiator: sent 206.111.198.2 quick mode message #2 (DONE) 3 2013-07-08 16:31:58 notice tunnel_up IPsec tunnel to 206.111.198.2:500 is up 4 2013-07-08 16:31:58 notice install_sa Initiator: tunnel 38.207.118.78/206.111.198.2 install ipsec sa 5 2013-07-08 16:31:58 notice negotiate Initiator: sent 206.111.198.2 quick mode message #1 (OK) 6 2013-07-08 16:31:55 notice tunnel_down IPsec tunnel to 206.111.198.2:500 is down 7 2013-07-08 16:31:51 notice negotiate Initiator: tunnel 206.111.198.2, transform=ESP_3DES, HMAC_SHA1 8 2013-07-08 16:31:51 notice negotiate Initiator: sent 206.111.198.2 quick mode message #2 (DONE) 9 2013-07-08 16:31:51 notice tunnel_up IPsec tunnel to 206.111.198.2:500 is up 10 2013-07-08 16:31:51 notice install_sa Initiator: tunnel 38.207.118.78/206.111.198.2 install ipsec sa 11 2013-07-08 16:31:51 notice negotiate Initiator: sent 206.111.198.2 quick mode message #1 (OK) 12 2013-07-08 16:31:48 notice tunnel_down IPsec tunnel to 206.111.198.2:500 is down
Rick_H
New Contributor III

Those logs look a bit different than what I' m used to, but if I reading them correctly your P1 is definitely coming up (line 9, the " :500" part tells me it is the IKE tunnel). Right after that (lines 8 & 7) you get the P2 SA proposal, which doesn' t appear to be accepted as the tunnel closes 5 seconds later (line 6). Make sure your SA proposal and source/destination addresses are matched up properly on both sides of the tunnel in your P2 config. Double check your firewall policies as well to make sure they are allowing the right subnets and services. If you still can' t figure it out then post your IPSEC and relevant firewall policy configuration and we' ll see if we can' t figure out where the problem might be.
harald21
Contributor

Hello, try to sniff packet flow: diag sniff packet any ' icmp and host x.x.x.x' 4 this shows you which way your packets are going. Sincerely harald
jpereira
New Contributor

Thank you. The drop at line 6 is me bringing the tunnel down and then back up. I did try putting info into the source and destination address under the quick mode section on the advanced section of P2 parameters but that has not worked. Below is the config from 1 of the units - public IPs have been modified config system interface edit " internal" set vdom " root" set ip 192.168.240.1 255.255.255.0 set allowaccess ping https http set type physical next edit " dmz" set vdom " root" set ip 10.10.10.1 255.255.255.0 set allowaccess ping https set type physical next edit " wan1" set vdom " root" set ip 38.222.118.78 255.255.255.192 set allowaccess ping https set type physical next edit " wan2" set vdom " root" set ip 192.168.101.99 255.255.255.0 set allowaccess ping set type physical next edit " modem" set vdom " root" next edit " ssl.root" set vdom " root" set type tunnel next edit " HQtoBRp1" set vdom " root" set type tunnel set interface " wan1" next end config vpn ipsec phase1-interface edit " HQtoBRp1" set interface " wan1" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set remote-gw 206.222.198.2 set psksecret ENC xXxzAUsATIeLdiWen6caEodi/QbrxY+7FOs53T9xN++eLAD4vvYG96l2VjET2VQaf3WbsV6+t++TzFUuG2GiXT1M+hUFc1ZH/t6CRdn0+3cLmkU2 next end config vpn ipsec phase2-interface edit " HQtoBRp2" set pfs enable set phase1name " HQtoBRp1" set proposal 3des-sha1 3des-md5 next config firewall policy edit 1 set srcintf " internal" set dstintf " wan1" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" set nat enable next edit 2 set srcintf " internal" set dstintf " HQtoBRp1" set srcaddr " HQnet" set dstaddr " BRnet" set action accept set schedule " always" set service " ANY" next edit 3 set srcintf " HQtoBRp1" set dstintf " internal" set srcaddr " BRnet" set dstaddr " HQnet" set action accept set schedule " always" set service " ANY" next config router static edit 1 set device " wan1" set gateway 38.222.118.65 next edit 2 set device " HQtoBRp1" set distance 5 set dst 192.168.230.0 255.255.255.0 next end config firewall address edit " all" next edit " BRnet" set associated-interface " HQtoBRp1" set subnet 192.168.230.0 255.255.255.0 next edit " HQnet" set associated-interface " internal" set subnet 192.168.240.0 255.255.255.0 next end
rwpatterson
Valued Contributor III

What debugging have you done to date? Packet trace route? Sniff? Flow?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Rick_H
New Contributor III

What about the branch firewall config? Does it mirror what you have here? I never define an IPSec tunnel without defining the " interesting traffic" in the P2 config. It was a best-practice I learned when configuring VPN tunnels on Cisco gear ages ago. The " source" is the subnet local to the firewall and the " destination" is the remote subnet. That would be your " HQnet" and " BRnet" respectively on the HQ side and the reverse on the branch side. I also only include one SA proposal to keep things clean (so, just either 3des-sha1 OR 3des-md5 in your case but not both).
Labels
Top Kudoed Authors