Hi all, why is the phase 2 showing a green and a red arrow? This is a Teltonika RUT901 connecting to a Fortigate 100F. Any advice would be appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @BFieldy ,
According to this error, a new phase 2 addition has been made on the FortiGate side, but this addition has not been made on the other side or the settings seem to be incompatible.
Did you configure 2nd phase 2 selector on teltonica side?
Also, can you run these commands on Fortigate after that can you share the output with us?
diag debug disable
diag debug reset
diag vpn ike log-filter clear
diag vpn ike log-filter name RWAS_TEST_VPN
diag debug application ike -1
diag debug enable
Hello @ozkanaltas,
Before I run these commands will this cause any service issues with current VPNs running?
Hello @BFieldy ,
These commands does not affect your vpn traffic.Just shows debug logs which is not showing on gui.
Hi @BFieldy ,
Can you paste the output of commands below:
get vpn ipsec tunnel summary
diag vpn tunnel list name RWAS_TEST_VPN
diag vpn ike gateway list name RWAS_TEST_VPN
The below might also help:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...
Best regards,
Created on 05-24-2024 08:25 AM Edited on 05-24-2024 08:26 AM
Hello @fricci_FTNT,
'RWAS_TEST_VPN' 109.109.153.210:4500 selectors(total,up): 2/1 rx(pkt,err): 20424/0 tx(pkt,err): 0/0
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=RWAS_TEST_VPN ver=2 serial=5 10.255.255.253:4500->109.109.153.210:4500 tun_id=109.109.153.210 tun_id6=::109.109.153.210 dst_mtu=1500 dpd-link=on weight=1
bound_if=7 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=7 ilast=5016 olast=51695743 ad=/0
stat: rxp=20424 txp=0 rxb=3184038 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=RWAS_TEST_VPN proto=0 sa=1 ref=2 serial=5 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:109.109.153.210-109.109.153.210:0
SA: ref=4 options=18627 type=00 soft=0 mtu=1422 expire=28791/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00004fc4 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=7439c315 esp=aes key=16 96a78e61fa2441571754539b8e21f044
ah=sha1 key=20 f254eba969e7e720e1bf0d18bb12e8777a18b4a0
enc: spi=cc9ac9ac esp=aes key=16 0b1acd12c9d49516b53cdda94769cc07
ah=sha1 key=20 59c5b0d4b5dbedf9892897b1dbcc72d30a36ed1a
dec:pkts/bytes=20428/3188808, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=109.109.153.210 npu_lgwy=10.255.255.253 npu_selid=3e dec_npuid=1 enc_npuid=0
proxyid=RWAS_TEST_VPN proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
run_tally=0
vd: root/0
name: RWAS_TEST_VPN
version: 2
interface: wan1 7
addr: 10.255.255.253:4500 -> 109.109.153.210:4500
tun_id: 109.109.153.210/::109.109.153.210
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 169.254.35.165 -> 0.0.0.0
created: 14202s ago
peer-id: teltonika
peer-id-auth: no
nat: me peer
PPK: no
IKE SA: created 1/1 established 1/1 time 4870/4870/4870 ms
IPsec SA: created 1/1 established 1/1 time 4870/4870/4870 ms
id/spi: 134539 42bea39f6145a995/2f00641e7c3e4264
direction: initiator
status: established 14202-14197s ago = 4870ms
proposal: aes128-sha256
child: no
SK_ei: b59f59a62a65ad94-38e48d89968a348e
SK_er: 9c0ab4b8bbf9f0c5-66a48e40885dff19
SK_ai: a0eed65b4baa30e2-3de058b0c85298a0-eb91385f69427d59-c80a8b914d93f844
SK_ar: 30b14a40546eea0b-396dbc7946e59036-7f1cd6d506d4758e-f76918c054529ead
PPK: no
message-id sent/recv: 2/0
lifetime/rekey: 43200/28702
DPD sent/recv: 00000000/00000000
peer-id: teltonika
Your phase2 config snippet + the "diag vpn tunnel list" give us the answer.
Your phase2 is configured with wildcard selectors, any IP allowed: 0.0.0.0/0->0.0.0.0/0.
However the other side negotiated a more specific selectors: 0.0.0.0/0 -> 109.109.153.210/32 (your side -> remote side)
Thus the outputs and the GUI status are showing two phase2 SAs:
1. The one that was negotiated:
proxyid=RWAS_TEST_VPN proto=0 sa=1 ref=2 serial=5 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:109.109.153.210-109.109.153.210:0
SA: ref=4 options=18627 type=00 soft=0 mtu=1422 expire=28791/0B replaywin=2048
[...]
2. The one that exists in the config but ended up not being agreed on (the SA is marked as red in the GUI):
proxyid=RWAS_TEST_VPN proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
run_tally=0
This is normal with IKEv2, which supports selector narrowing, where both sides only need to find an overlap in their proposals to reach agreement.
In your case, this can be considered a problem if you are expecting both sides to agree on a wide-open SA (0/0->0/0), in which case you should reconfigure the remote peer to offer a wilde-open selector as well. Otherwise, this is normal and can be ignored.
Hello,
It looks like there are 2 IPsec phase2 configured. You may consider to verify by running the command below in CLI:
sh | grep -f RWAS_TEST_VPN (and check "config vpn ipsec phase2-interface" configuration section)
Created on 05-24-2024 08:20 AM Edited on 05-24-2024 09:05 AM
Hello, the command returns:
PRDICTFWD003 # sh | grep -f RWAS_TEST_VPN
config system interface
edit "RWAS_TEST_VPN" <---
set vdom "root"
set ip 169.254.35.165 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.35.166 255.255.255.252
set snmp-index 38
set interface "wan1"
next
end
config vpn ipsec phase1-interface
edit "RWAS_TEST_VPN" <---
set interface "wan1"
set ike-version 2
set local-gw 10.255.255.253
set keylife 43200
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set localid "fortigate"
set nattraversal forced
set remote-gw 109.109.153.210
set psksecret ENC
next
end
config vpn ipsec phase2-interface
edit "RWAS_TEST_VPN" <---
set phase1name "RWAS_TEST_VPN" <---
set proposal aes128-sha1
set auto-negotiate enable
next
end
(didnt include the temporary allow all firewall rules)
config router static
edit 18
set dst 10.220.0.0 255.255.255.240
set device "RWAS_TEST_VPN" <---
next
end
Hello,
There is only one phase2 selector configured. It is not clear why there are 2 arrows for phase 2 in GUI though.
Both phase 1 and phase 2 are up:
IKE SA: created 1/1 established 1/1 time 4870/4870/4870 ms
IPsec SA: created 1/1 established 1/1 time 4870/4870/4870 ms
FortiGate output looks good. In case there is still connectivity issue, I would recommend to sniff the traffic "diagnose sniffer packet any 'host <destination IP address>' 4 0 a" while pinging host on the other site. In case connectivity looks good, you may consider rebooting FortiGate and check GUI output.
Moreover, you may consider to add widget GUI: Dashboard -> IPsec and check how many phase2 will be visible.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.