Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fox
New Contributor

Ipsec problem

Hi,

 

I have a ipsec tunnel the internal site3 can access remote site1, but remote site1 cannot access site 3.

I have found virtual-interface-addr 10.15.0.1 -> 10.15.0.254 was wrong, should be 10.15.0.1 -> 10.15.0.4.

Anyone can help?

 

[site1]---[10.15.0.1]--vpn--[10.15.0.2]-[site2]
                              --vpn--[10.15.0.4]-[site3] 
site 1 conf
config vpn ipsec phase1-interface
edit "vpn01"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256
set add-route disable
set dpd on-idle
set dhgrp 14
set auto-discovery-sender enable
set psksecret ENC
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "vpn01"
set phase1name "vpn01"
set proposal aes256-sha1 3des-sha1
set dhgrp 14
next
end
config system interface
edit "vpn01"
set vdom "root"
set ip 10.15.0.1 255.255.255.255
set type tunnel
set remote-ip 10.15.0.254 255.255.255.0
set interface "port1"
next
end


diagnose vpn ike gateway list
vd: root/0
name: vpn01_0
version: 2
interface: port1 3
addr: wanip:500 -> wanip:500
tun_id: 10.15.0.2/::10.0.0.32
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.15.0.1 -> 10.15.0.2
created: 5221s ago
peer-id: wanip
peer-id-auth: no
auto-discovery: 1 sender
PPK: no
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 74 2dbf144f21a9b61c/78204501e66dd330
direction: responder
status: established 5221-5221s ago = 10ms
proposal: aes128-sha256
child: no
SK_ei: 8be65bce87fb035d-13616df6bf0b7591
SK_er: 70860c379fdc44ed-b57ffe16eeec3475
SK_ai: 6cbd9af9db567450-90239e485df37e2e-a6ed1ae165035823-ab3c08c8ed725dbb
SK_ar: 4ba3cb8c83eff2de-5ba4903f3e14dfd1-e5c6f21905964cf5-129eaf11d2ba99f1
PPK: no
message-id sent/recv: 0/2
QKD: no
lifetime/rekey: 86400/80908
DPD sent/recv: 00000000/00000000
peer-id: wanip

vd: root/0
name: vpn01_1
version: 2
interface: port1 3
addr: wanip:4500 -> wanip:4500
tun_id: wanip/::10.0.0.36
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.15.0.1 -> 10.15.0.254
created: 1740s ago
peer-id: wanip
peer-id-auth: no
PPK: no
IKE SA: created 1/1 established 1/1 time 30/30/30 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 104 7478193671bd48e6/45b5eafcb41b6385
direction: responder
status: established 1740-1740s ago = 30ms
proposal: aes128-sha256
child: no
SK_ei: b737511f8a136fa6-f8cded77588e805d
SK_er: ee44c6b1b334b766-4d94d44e808ee06c
SK_ai: 035ff938712122d1-d736031be553a7d3-0f422a371864b54a-a12bcec5f28edc2b
SK_ar: fefdd43ca39f4d6d-2b1392d86c5b4c77-188390b0911c0099-a0748e0a1f19ba26
PPK: no
message-id sent/recv: 0/175
QKD: no
lifetime/rekey: 86400/84389
DPD sent/recv: 00000000/00000000
peer-id: wanip

 

 

8 REPLIES 8
syordanov
Staff
Staff

Hello fox,

I hope you are doing well.

My suggestion is to check the following :

1. Check if IPsec interfaces of 'site1' and 'site3' are in the same subnet ;
2. Check the routing on 'site1' for the network behind 'site3' :

# get router info routing-table details x.x.x.x <---- where x.x.x.x is the network behind site3

3. Generate test traffic from site1 to site3 and run debug flow/sniffer , it will be usefull to do it on both devices (site1 and site3, to see if traffic is correctly forwarded/encrypted from site1 and correctly accepted/decrypted on site3):

###debug flow ####
diagnose debug reset
diagnose debug flow filter saddr XXXXXX <---- source IP
diagnose debug flow filter daddr XXXXXX <---- destination IP
Diagnose debug flow filter
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 99999
diagnose debug enable

 

###sniffer ####
diagnose sniffer packet any "host x.x.x.x and host y.y.y.y " 4 , where x.x.x.x is the source IP and y.y.y.y is the destination IP

 

Best regards,

Fortinet

.
fox
New Contributor

Thanks, please check below information;

1. Check if IPsec interfaces of 'site1' and 'site3' are in the same subnet ;

  same subnet, site1: 10.15.0.1 site3: 10.15.0.4

2. Check the routing on 'site1' for the network behind 'site3' :

get router info routing-table details 192.168.183.1

Routing table for VRF=0
Routing entry for 192.168.183.0/24
Known via "bgp", distance 200, metric 0, best
Last update 00:54:37 ago
* vrf 0 10.15.0.4 priority 1 (recursive is directly connected, vpn01)

3.

diagnose debug enable

FG-SH-01 # 2023-12-27 17:28:32 id=65308 trace_id=130 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.184.1:44->192.168.183.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=44, seq=0."
2023-12-27 17:28:32 id=65308 trace_id=130 func=init_ip_session_common line=6073 msg="allocate a new session-0006b066"
2023-12-27 17:28:32 id=65308 trace_id=130 func=iprope_dnat_check line=5473 msg="in-[], out-[vpn01]"
2023-12-27 17:28:32 id=65308 trace_id=130 func=iprope_dnat_tree_check line=824 msg="len=0"
2023-12-27 17:28:32 id=65308 trace_id=130 func=iprope_dnat_check line=5494 msg="result: skb_flags-00000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-12-27 17:28:32 id=65308 trace_id=130 func=ip_session_confirm_final line=3111 msg="npu_state=0x0, hook=4"
2023-12-27 17:28:32 id=65308 trace_id=130 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface vpn01, tun_id=0.0.0.0"
2023-12-27 17:28:33 id=65308 trace_id=131 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.184.1:44->192.168.183.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=44, seq=1."
2023-12-27 17:28:33 id=65308 trace_id=131 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0006b066, original direction"
2023-12-27 17:28:33 id=65308 trace_id=131 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface vpn01, tun_id=0.0.0.0"
2023-12-27 17:28:34 id=65308 trace_id=132 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.184.1:44->192.168.183.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=44, seq=2."
2023-12-27 17:28:34 id=65308 trace_id=132 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0006b066, original direction"
2023-12-27 17:28:34 id=65308 trace_id=132 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface vpn01, tun_id=0.0.0.0"
2023-12-27 17:28:35 id=65308 trace_id=133 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.184.1:44->192.168.183.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=44, seq=3."
2023-12-27 17:28:35 id=65308 trace_id=133 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0006b066, original direction"
2023-12-27 17:28:35 id=65308 trace_id=133 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface vpn01, tun_id=0.0.0.0"
2023-12-27 17:28:36 id=65308 trace_id=134 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.184.1:44->192.168.183.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=44, seq=4."
2023-12-27 17:28:36 id=65308 trace_id=134 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0006b066, original direction"
2023-12-27 17:28:36 id=65308 trace_id=134 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface vpn01, tun_id=0.0.0.0"

 

diagnose sniffer packet any "host 192.168.184.1 and host 192.168.183.1 " 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.184.1 and host 192.168.183.1 ]
8.574248 vpn01 out 192.168.184.1 -> 192.168.183.1: icmp: echo request
9.574317 vpn01 out 192.168.184.1 -> 192.168.183.1: icmp: echo request
10.574382 vpn01 out 192.168.184.1 -> 192.168.183.1: icmp: echo request
11.574459 vpn01 out 192.168.184.1 -> 192.168.183.1: icmp: echo request
12.574533 vpn01 out 192.168.184.1 -> 192.168.183.1: icmp: echo request

syordanov

Hello ,

 

From provided debug flow i can see that Fortigate allocate a new session and traffic is forwarded to remote IPsec peer : msg="in-[], out-[vpn01]

It seams this is a local out traffic, can you please check if host 192.168.184.1/32 is part of remote encryption domain and is allowed on FW rules ?

Also please check on site1 if there are errors on the vpn01 interface:

# fnsysctl ifconfig vpn0

 

Do you have a sniffer on site3 to verify if that traffic is received and decrypted :

# diagnose sniffer packet any "host 192.168.184.1 and host 192.168.183.1 "

 

 

Best regards,

 

Fortinet

.
fox
New Contributor

yes, 192.168.184.1/32 was allowed on the FW rules.

No output after the command fnsysctl ifconfig vpn0.

didn't find any related traffic on the site3

syordanov

Hello ,

 

When you run the ICMP from site1 to site3 , run sniffer on site3 as follow :

 

diagnose sniffer packet any "host 192.168.184.1 and host 192.168.183.1 " 4

 

Best regards,

 

Fortinet

.
fox
New Contributor

didn't find any related traffic on the site3 use follow cmd;

diagnose sniffer packet any "host 192.168.184.1 and host 192.168.183.1 " 4

hbac
Staff
Staff

Hi @fox,

 

You mentioned that virtual-interface-addr was wrong, have you tried to change it? You can use the following commands: 

 

config system interface 

edit "vpn01"
set type tunnel
set remote-ip 10.15.0.4 255.255.255.0
end

 

Regards, 

fox
New Contributor

this was ADVPN can't setup remote ip to a cerain remote site's IP.

 

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/820072/advpn-with-bgp-as-the...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors