Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tomka
New Contributor II

Received ESP packet with unknown SPI.

Hello,

Tried to make IPSEC tunnel between my fortigate and server build on OPNsense.

My fortigate is 100F behind SNAT. SNAT is made by Virtual IP and forward connection form external IP to IP on loopback interface. Don't have any interface directly connected to internet so have to use Virtual IP as SNAT. 

Opnsense is also behind SNAT 1:1 .

Something like :

OPNsense 10.0.0.1/21<-->SNAT<-->95.100.100.1<-->Internet>95.100.200.1<-->SNAT on Virtual IP>10.200.0.1/32 on loopback<-->Local net

IPs are for show purposes only.

I've made successfully tunnel , phase1 and phase 2 is on green from both side.

Problem is that  that Fortigate receives incoming packets from OPNsense but reject it as it comes from unknown SPI. In log details I have correct local IP, correct remote IP and the most important correct SPI number from both sides.

I'v tried IKE v1 and v2 , with NAT nad without NAT and many other options. 

Nope, all the time Fortigate even if tunnel from both sides stay UP, he says that packet incoming from that tunnel is from unknown. Don't know how to check if Forti correctly see for example remote ID (this ID behind SNAT) of existing tunnel, maybe he see only IP from internet side, I don't know :(

From other hand why Forti allowed to make tunnel between sides , only for rejecting packets now?

I'm clueless what I can check more I hope that someone can show me some directions?

2 Solutions
Tomka
New Contributor II

So here come solution.

Forti has big problem if you attach IPSEC interface to loopback interface.

Something is wrong with recognition loopback interface as end of SNAT in IPSEC tunnel.

In the end tunnel can be set up but Forti will reject ESP packets as it comes from unknown source. 

So the solution is to cheat Forti and set ip address of loopback interface as the same as ip of external interface in the IPSEC tunnel. Than Forti doesn't see different ip on the end of SNAT and accept packet from tunnel.

The solution was find on Palo Alto forum as they had he similar problem, but they are a bit more active.

View solution in original post

Anonymous
Not applicable

Hello Tomka,

 

Thank you for posting to Fortinet Community Forums. We thank you for your patience. As per your query, yes, you can set the remote ID on the IPSEC configuration on your Forti device. However, the remote ID on Fortigate config is called peer ID. 


Please check the link mentioned below which helps in configuring peer ID.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-bet...

 

# config vpn ipsec phase1-interface
    edit <phase1_name>
        set mode aggressive
        set type dynamic
        set peertype one
        set peerid "ftnt-peer"
    end

 

Please let us know if this helps

Thanks

View solution in original post

4 REPLIES 4
Tomka
New Contributor II

Hello, 

checked all day and still can't find why Forti reject correct packets.

It drives me crazy :)

Tomka
New Contributor II

Hi,

maybe the problem is due to a lack of setting remote ID on Forti. I only see Local ID in IPSEC settings. Is it possible to set Remote ID on IPSEC ?

Anonymous
Not applicable

Hello Tomka,

 

Thank you for posting to Fortinet Community Forums. We thank you for your patience. As per your query, yes, you can set the remote ID on the IPSEC configuration on your Forti device. However, the remote ID on Fortigate config is called peer ID. 


Please check the link mentioned below which helps in configuring peer ID.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-bet...

 

# config vpn ipsec phase1-interface
    edit <phase1_name>
        set mode aggressive
        set type dynamic
        set peertype one
        set peerid "ftnt-peer"
    end

 

Please let us know if this helps

Thanks

Tomka
New Contributor II

So here come solution.

Forti has big problem if you attach IPSEC interface to loopback interface.

Something is wrong with recognition loopback interface as end of SNAT in IPSEC tunnel.

In the end tunnel can be set up but Forti will reject ESP packets as it comes from unknown source. 

So the solution is to cheat Forti and set ip address of loopback interface as the same as ip of external interface in the IPSEC tunnel. Than Forti doesn't see different ip on the end of SNAT and accept packet from tunnel.

The solution was find on Palo Alto forum as they had he similar problem, but they are a bit more active.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors