Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
obi
New Contributor

Problem with IPSEC VPN

Hi, I have a problem with a IPSEC VPN between 2 Fortigate Firewalls. On one side I have a FG110C, on the other side a FG60C. The VPN was working well until I made a firmware update on the FG110C form v3 MR1 to v4.0 (MR3) Patch 15. Now the VPN remains down, the rest of the configuration works without any problem. The FG60C hat the firmware v4.0,build5849,110804 (MR2). Is it possible that the MR3 on the 110C isn' t compatible with the MR2? Thanks in advice, obi
9 REPLIES 9
ede_pfau
Esteemed Contributor III

I wouldn' t think they are ' incompatible' . IPsec is a standard. But... 4.2 in the beginning was not too stable, the release you' re using might have a bug in the VPN code. Try to upgrade to the latest MR2 patch (4.2.15). One other explanation would be that the VPN config is not 100% correct but you got away with it in v3 code. You would have to debug the setup via ' diag debug app ike -1' on the console. There have been numerous postings on the forums about this which might give you the right commands. I admit that debugging a VPN setup is not well supported through logging. The error messages mostly are cryptic or misleading, Microsoft style.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Maik
New Contributor II

v3 MR1 to v4.0 (MR3) Patch 15.
Hi, Did you follow the upgrade path? Compare the PFS Settings in your Phase2.
emnoc
Esteemed Contributor III

OP Probably auto-negotiation issues, can you do a show full for the ipsec config. And no, it' s not a compatibility issue.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rwpatterson
Valued Contributor III

Worst case, break it down and rebuild it on the upgraded unit. I have had IPSec tunnel connection failures after upgrades. You control both sides, so the pre-shared key isn' t an issue.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dipen
New Contributor III

Hi Patterson While doing a debug on IPSEC is it possible to apply a filter say I have multiple IPSEC VPNs and I want console to show debugs for only one IPSEC VPN ?

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
obi
New Contributor

Hi to everybody, thanks for the answers! I think first of all I' ll make a Firmware Upgrade to check if this is the problem. Yes, I followed the upgrade path on the 110C. The option " Enable perfect forward secrecy(PFS)" is selected. In the event log of the 60C I get the following messages: negotiate IPsec phase 1 error egotiate progress IPsec phase 1 The last step will be the reconstruction of the IPSEC Tunnel. Thank you guys! Regards, obi
obi
New Contributor

Hi to everybody, so I found the solution and now I' m ashamed I just reentered a new Pre-shared Key in Phase 1 on both sides and now it works again... I hate those errors...spending extrem alot of time, disturbing other people and then a solution like that... Thanks and sorry! obi
ede_pfau
Esteemed Contributor III

been there, done that...

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Dipen
New Contributor III

always do a debug in the first place diag debug VPN ike -1 A debug will immediately report a mismatch of pre-shared keysdiag debug vpn ike -1

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Labels
Top Kudoed Authors