Route LAN over VTI interface over IPSEC Tunnel

NRA · ‎07-03-2024

Hello,
I am setting up a VPN tunnel between a Fortigate and a stormshield using a VTI to mount IPSEC (Phase 2).
Below is my architecture

The tunnel is well assembled and UP (phase1 + phase2)
Phase-2 is mounted on the VTI (architecture constraint) . I want to communicate between my 2 remote LANs
I configure a sercurity-policy to manage my trafic and configure static route that goes to reach the LANs behind each firewall.

Traffic can't pass. After debug, the packet always stops at phase-2 on the fortigate side.
I would like to know how to make my VTI a network gateway to be able to route my current LAN and my future LANs.

Or I want some feedback of someone who build VPN with Fortigate and stormshield using VTI as gateway

Sincerely

Quint021 · ‎07-03-2024

Hello @NRA,

Can you provide the debug flow for the traffic when replicating the issue as well as the VPN details on the fortigate?

di vpn ike gateway list name <tunnel_name>
di vpn tunnel list name <tunnel_name>

We will need to see how fortigate is processing the traffic.

Kind Regards,

NRA · ‎07-03-2024

Hello, you can see it below :

fwcore01 (CAMPUS-DMZ) # get vpn ike gateway

vd: CAMPUS-DMZ/1
name: TLS_FBR
version: 2
interface: port7 13
addr: 10.0.90.49:500 -> 10.0.90.50:500
created: 13055s ago
peer-id: 10.0.90.50
peer-auth: no
IKE SA  created: 1/1  established: 1/1  time: 20/20/20 ms
IPsec SA  created: 1/44  established: 1/44  time: 0/21/40 ms

  id/spi: 6897 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
  direction: responder
  status: established 13055-13055s ago = 20ms
  proposal: aes-256-sha256
  SK_ei: c2da386335219d3d-6d4899d4658f9ad2-ac1cbbdc3b8a3a9b-a2e74581c3201040
  SK_er: 401034255b0c2d24-4fc6ed2e120c9913-f038326274e2f2aa-832dc7def480835e
  SK_ai: 61758040c5464378-6d7ddd24777825d2-5d447043ffa6eee1-64236c17b860656e
  SK_ar: d569bae2f12912cd-a713fa24bc821a01-047ec78fba1a9def-da4fcb39e71734ea
  lifetime/rekey: 21600/8274
  DPD sent/recv: 00000058/00000058

fwcore01 (CAMPUS-DMZ) # diagnose vpn tunnel list
list all ipsec tunnel in vd 1
------------------------------------------------------
name=TLS_FBR ver=2 serial=f 10.0.90.49:0->10.0.90.50:0 tun_id=10.0.90.50 tun_id6=::10.0.90.50 dst_mtu=1300 dpd-link=on weight=1
bound_if=13 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=3 olast=3 ad=/0
stat: rxp=2620 txp=6877 rxb=295646 txb=127068
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=88
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPSEC_TLS_FBR proto=0 sa=1 ref=3 serial=100 auto-negotiate ads adf
  src: 0:10.0.91.49-10.0.91.49:0
  dst: 0:10.0.91.50-10.0.91.50:0
  SA:  ref=3 options=19a27 type=00 soft=0 mtu=1230 expire=2238/0B replaywin=2048
       seqno=db esn=0 replaywin_lastseq=000000da qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3332/3600
  dec: spi=9fb20ba3 esp=aes key=32 a884165412f6d90424a09741e5baa6a991b7bb7ab1fd3cf48c4d5e537e1a061b
       ah=sha256 key=32 4df1b43a2f95ca442838788fcb054b57029a033c278f489443c72bf018754380
  enc: spi=c77b898b esp=aes key=32 e2ccf35b7dba5a55d24a26bb00f3c8e14231cfd506dbcf9bc46f1c5cced10b25
       ah=sha256 key=32 080bd74afbc760b35224482e81e4acb29484d73f0cde33fdbf6d4a03d727b691
  dec:pkts/bytes=436/15696, enc:pkts/bytes=436/31392
  npu_flag=00 npu_rgwy=10.0.90.50 npu_lgwy=10.0.90.49 npu_selid=147 dec_npuid=0 enc_npuid=0
run_tally=0

Thanks

hbac · ‎07-03-2024

Hi @NRA,

Can you collect debug flow and share the outputs? Please refer to this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Regards,

NRA · ‎07-08-2024

Hello,

Hello, you can see i the debug flow below :

fwcore01 (CAMPUS-DMZ) # diag debug app ike -1
Debug messages will be on for 23 minutes.

fwcore01 (CAMPUS-DMZ) #
fwcore01 (CAMPUS-DMZ) # diagnose debug console timestamp enable

fwcore01 (CAMPUS-DMZ) #
fwcore01 (CAMPUS-DMZ) # diagnose debug enable

fwcore01 (CAMPUS-DMZ) # 2024-07-03 12:19:20.530032 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:20.530054 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:20.530067 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:20.530075 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event
2024-07-03 12:19:22.675418 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:22.675440 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:22.675453 ike 1:TLS_FBR:IPSEC_TLS_FBR: traffic triggered, serial=96 1:10.10.72.2:2048->1:192.168.1.3:0
2024-07-03 12:19:22.675460 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:22.675468 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:500 negotiating
2024-07-03 12:19:22.675487 ike 1:TLS_FBR:6897:3252 initiating CREATE_CHILD exchange
2024-07-03 12:19:22.675493 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: PFS enabled
2024-07-03 12:19:22.675517 ike 1:TLS_FBR:6897: enc 2800003400000030010304049FB20B870300000C0100000C800E0100030000080300000C030000080400001C0000000805000000220000149AC
E439152C56EAF31BFEEBDCF99AD822C000048001C0000480AA163488DE9C74FD22CDB5F36F65D4D1CE79AE3DF70909535E833287BEB6D947ADFC7165C9A1EDC8651203850D4D537A0EE84B2B600AAF13EEBF16
BD846DA2D00002802000000070000100000FFFF0A0A48020A0A4802070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A211A030A211A03070000100000FFFF00000000FFFFFFF
F0F0E0D0C0B0A0908070605040302010F
2024-07-03 12:19:22.675571 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024000000000E0000013021000114CC9A22102A5EBECE7D0E940F400A64D6C82BAE3926328225023
4E75C76B1BF6FEAC1B6DC63BF4A8E9A52D5A03E81C2DAF31A8ACE0AF2BBEA715903183C795FD0C2A2B3553001B90713C9F62F18DCDAF489C0A77D7D714F5A4EC85390B63585CA59B32D286977EE0DFB5B28F7F
88C0E9FE45F3EBFAB08B54D69F06C3CDA244A5D91B37BF486633D14D5153721F8ECA72A190DB11581B0D7747D0BBDA1096C51E3DB593E06234B54AF43F3C96EBD4B9A34EA52564A5A481487BB1486397D30177
F518867FB7792C93AE5F6C4531CE53A7DC7DDC7E75411A47605CD06B557540877174D4BE2973CFCE7476523056B883BC074C03709C6CD3302E621946CF011DC024A83AE25C39AB1D36698B7231075135D
2024-07-03 12:19:22.675601 ike 1:TLS_FBR:6897: sent IKE msg (CREATE_CHILD): 10.0.90.49:500->10.0.90.50:500, len=304, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
00e
2024-07-03 12:19:22.705716 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:22.705733 ike 1: IKEv2 exchange=CREATE_CHILD_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:0000000e len=288
2024-07-03 12:19:22.705741 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000000E00000120210001046EB9AD5BBB2449B1C25D9FEF08D02C6464F240332DFF0666548D05E690E61940B
744A3DED3B979A2F1B3EC4C1765278F7C1E83761ECC42BFE1568E2298D714F6BDD85966BBAB230EF7BB8BB6FCDCDC9BB9B157C4EBC4D762E238E204269C05D576ED1ED1B49AAC88395BDDBD9B465206CAA45D7
27AAFE574909D787E2E41146CCDF17C801045196FBC10F619E69D32EF442239723FA11D2162310F4C375B0059153144E48C6AC9B36DA34929386FD349F677E51C06F005FE29107035F333FAE505F69202685DC
17FCE75041703BF70F7386A106E3D6C4E150BDC5FFB5FF677D086F0983AC99CFC6C4E400CA0957CEE854041336AF17C500D424BE0ABCE782AF2
2024-07-03 12:19:22.705752 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:22.705782 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000000E000000F021000004280000340000003001030404CEAAB9E90300000C0100000C800
E0100030000080300000C030000080400001C000000080500000022000024467322E7424105A896C3ADFF9D7A3AF20B0FF902A6D54DDFF2A62B23B2B1450A2C000048001C0000046C03EE85871EAFF0BB5DEFF
99B0EFD1993407C36408E805BC197D7461961A66E013E8E5A4359AA72F0EC3E0D8F3F1F10EC3DC75F7B29579E5AFAA5F41C9A342D00001801000000070000100000FFFF0A005B310A005B31000000180100000
0070000100000FFFF0A005B320A005B32
2024-07-03 12:19:22.705792 ike 1:TLS_FBR:6897: received create-child response
2024-07-03 12:19:22.705798 ike 1:TLS_FBR:6897: initiator received CREATE_CHILD msg
2024-07-03 12:19:22.705803 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: found child SA SPI 9fb20b87 state=3
2024-07-03 12:19:22.705809 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: PFS enabled, group=28
2024-07-03 12:19:22.706761 ike 1:TLS_FBR:6897:3252: peer proposal:
2024-07-03 12:19:22.706770 ike 1:TLS_FBR:6897:3252: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706776 ike 1:TLS_FBR:6897:3252: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706782 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: comparing selectors
2024-07-03 12:19:22.706796 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: matched by rfc-rule-2
2024-07-03 12:19:22.706801 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: phase2 matched by subset
2024-07-03 12:19:22.706807 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: accepted proposal:
2024-07-03 12:19:22.706813 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706818 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706824 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: autokey
2024-07-03 12:19:22.706829 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: incoming child SA proposal:
2024-07-03 12:19:22.706834 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: proposal id = 1:
2024-07-03 12:19:22.706839 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: protocol = ESP:
2024-07-03 12:19:22.706844 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: encapsulation = TUNNEL
2024-07-03 12:19:22.706849 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:22.706854 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=INTEGR, val=SHA256
2024-07-03 12:19:22.706859 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:22.706863 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ESN, val=NO
2024-07-03 12:19:22.706869 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: matched proposal id 1
2024-07-03 12:19:22.706874 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: proposal id = 1:
2024-07-03 12:19:22.706878 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: protocol = ESP:
2024-07-03 12:19:22.706883 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: encapsulation = TUNNEL
2024-07-03 12:19:22.706887 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:22.706892 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=INTEGR, val=SHA256
2024-07-03 12:19:22.706896 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:22.706900 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ESN, val=NO
2024-07-03 12:19:22.706905 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: lifetime=3600
2024-07-03 12:19:22.706932 ike 1:TLS_FBR: schedule auto-negotiate
2024-07-03 12:19:22.706938 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: replay protection enabled
2024-07-03 12:19:22.706943 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: set sa life soft seconds=3297.
2024-07-03 12:19:22.706948 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: set sa life hard seconds=3600.
2024-07-03 12:19:22.706969 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA selectors #src=1 #dst=1
2024-07-03 12:19:22.706975 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: src 0 7 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706981 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: dst 0 7 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706987 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: add dynamic IPsec SA selectors
2024-07-03 12:19:22.707007 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: added dynamic IPsec SA proxyids, existing serial 98
2024-07-03 12:19:22.707013 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: add IPsec SA: SPIs=9fb20b87/ceaab9e9
2024-07-03 12:19:22.707018 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA dec spi 9fb20b87 key 32:4772BD9315B1A7EDDC13B643C63E3B2ED3E9E485B6ED6088523E12CB1E748FA2 au
th 32:BFDC9CEA2BEF0DCD604FCC45F218BCD43A2CA35E6DFE10B8C63D0337EA8BCE79
2024-07-03 12:19:22.707024 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA enc spi ceaab9e9 key 32:B50B5A2A191D9D8A6901C47123E85E481B9F42C6AC2BA07A3E235BC284377EB5 au
th 32:B8DFE056D79117B6C3C35618278F1BB00D33F5C6E3E241F1C04098F6B85856EA
2024-07-03 12:19:22.707111 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: added IPsec SA: SPIs=9fb20b87/ceaab9e9
2024-07-03 12:19:22.707132 ike 1:TLS_FBR: HA send IKE connection add 10.0.90.49->10.0.90.50
2024-07-03 12:19:22.707147 ike 1:TLS_FBR:6897: HA send IKE SA add 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
2024-07-03 12:19:22.707156 ike 1:TLS_FBR: HA send IKEv2 message ID update send/recv=15/14
2024-07-03 12:19:22.707179 ike 1:TLS_FBR: IPsec SA c9be46cc/9fb20b83 hard expired 13 10.0.90.49->10.0.90.50:0 SA count 3 of 3
2024-07-03 12:19:22.707194 ike 1:TLS_FBR: IPsec SA 9fb20b83 delete failed: 2
2024-07-03 12:19:22.707200 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3243: sending delete for IPsec SA SPI 9fb20b83
2024-07-03 12:19:22.707208 ike 1:TLS_FBR:6897:3253: send informational
2024-07-03 12:19:22.707215 ike 1:TLS_FBR:6897: enc 0000000C030400019FB20B8303020103
2024-07-03 12:19:22.707236 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025000000000F000000502A000034D4A96A6BAE04F904B57C11913F6B795769823B9D826CCF36173
B364A918A9972A707D0F1B65ED3E551075B35D4B361D8
2024-07-03 12:19:22.707255 ike 1:TLS_FBR:6897: sent IKE msg (INFORMATIONAL): 10.0.90.49:500->10.0.90.50:500, len=80, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
00f
2024-07-03 12:19:22.730360 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:22.730382 ike 1: IKEv2 exchange=INFORMATIONAL_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:0000000f len=80
2024-07-03 12:19:22.730389 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025280000000F000000502A00003447020B07C55C83C316CB604128F78F15BAC75EB93A5CCD84FF3BFC3F497EB4EDE
69EFD4BA8AAC8ADA20CB8B6F944DF74
2024-07-03 12:19:22.730397 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:22.730440 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025280000000F0000002C2A0000040000000C03040001C9BE46CC
2024-07-03 12:19:22.730448 ike 1:TLS_FBR:6897: received informational response
2024-07-03 12:19:22.730454 ike 1:TLS_FBR:6897:3253: processing informational acknowledgement
2024-07-03 12:19:22.730460 ike 1:TLS_FBR:6897: processing delete ack (proto 3)
2024-07-03 12:19:22.730466 ike 1:TLS_FBR: deleting IPsec SA with SPI c9be46cc
2024-07-03 12:19:22.730494 ike 1:TLS_FBR: IPsec SA with SPI c9be46cc deletion failed: 2
2024-07-03 12:19:23.683655 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:23.683674 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:23.683681 ike 1:TLS_FBR:IPSEC_TLS_FBR: traffic triggered, serial=96 1:10.10.72.2:2048->1:192.168.1.3:0
2024-07-03 12:19:23.683687 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:23.683695 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:500 negotiating
2024-07-03 12:19:23.683712 ike 1:TLS_FBR:6897:3254 initiating CREATE_CHILD exchange
2024-07-03 12:19:23.683717 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: PFS enabled
2024-07-03 12:19:23.683737 ike 1:TLS_FBR:6897: enc 2800003400000030010304049FB20B880300000C0100000C800E0100030000080300000C030000080400001C000000080500000022000014C5E
576559CA6E767283678574E0E43A32C000048001C0000939B9C03AB0908C3E429B071C0B9C8BAAA02FA906A7E9F24B1EE1EB6170234A3014E61FA1A116E606BA72E07ABA41E046EAC8563B8190ECB39E2281F1
20EA24B2D00002802000000070000100000FFFF0A0A48020A0A4802070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A211A030A211A03070000100000FFFF00000000FFFFFFF
F0F0E0D0C0B0A0908070605040302010F
2024-07-03 12:19:23.683784 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E202400000000100000013021000114CA5D4C07BF1BAFF6746AE8E9E57CFCF55FE9E2F537A0C0CC18A
D1D270464747D2C3FE6AD1FFE14B085010C2867813CF527A8419D1192FEAFC936423DD2D4EB82BFEAF5029B1830A9AC6B54E9A5E942BE3B8B5CBC76A4E43FCB718E3A0273BE25A9D5804D71B9F1AA5D2383658
20B013426CBBC9E811BB78C71DD359781F7F58B003678C2EEDDFDED32F2AD94882C932742A6F4C7456B9E5A86F61C2DBF53DF96B6A3DDAE817E64CE4C327E44C4694F6D0004150D8D84B68F0B8021137857071
787FD25FAB90DE4455C8A64C36B9B51244079B694593797FC1D13938FD786D8493558F1141446437FFDAFD3DA2C7152BF15C05209EE4F80F5158AC250D34853694D51A596F0AD883D9A62F6D5669066F6
2024-07-03 12:19:23.683811 ike 1:TLS_FBR:6897: sent IKE msg (CREATE_CHILD): 10.0.90.49:500->10.0.90.50:500, len=304, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
010
2024-07-03 12:19:23.713764 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:23.713779 ike 1: IKEv2 exchange=CREATE_CHILD_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000010 len=288
2024-07-03 12:19:23.713786 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000001000000120210001044FDD7805E61021FC2769F917FB6A7A3F4363E5E094B3FA7E6D2D96582888DE66B
A08E333139C6CEB2E0EE8A72218FF49E42780D2260BC013419503251D065F797CBE89C790D357948131244842153E02F78D617D812A297ECA4A99F4469EA0FDA3F1646AD1E8721C997A660CC3CEE975F432740
F857C3C273CEFCEDD3471EC66E55A671085C08E1AF4625D075BB41352DF7B157FEB71075B605B6F37C622E18A5D5E666B1AA81523EC22A5C1C0DC85CFC25BDBF4220F78FBE63908320F67D3ABB86BA1046037F
2F6FEEB867ED5EA8837FE8FF35E8E4091E431068134EA8E0AFCC686E1A90648C3967DD746C8920E45BD5A457E2CB6A64208784919F4D50AA3D5
2024-07-03 12:19:23.713799 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:23.713826 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20242800000010000000F021000004280000340000003001030404C2EBD85C0300000C0100000C800
E0100030000080300000C030000080400001C00000008050000002200002441D442A818A0F27B11366FEB2438A32DEC91A04565BDBCC3EA93D9F9DADB6D6D2C000048001C00005538F07366FE361E838C9A093
52E906A4540060F86083C22F37BA9A847151FEF73B1001A1CA42793DCA9087766C29085D789F8BDA97D359E768D273D931FAF802D00001801000000070000100000FFFF0A005B310A005B31000000180100000
0070000100000FFFF0A005B320A005B32
2024-07-03 12:19:23.713837 ike 1:TLS_FBR:6897: received create-child response
2024-07-03 12:19:23.713842 ike 1:TLS_FBR:6897: initiator received CREATE_CHILD msg
2024-07-03 12:19:23.713847 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: found child SA SPI 9fb20b88 state=3
2024-07-03 12:19:23.713852 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: PFS enabled, group=28
2024-07-03 12:19:23.714798 ike 1:TLS_FBR:6897:3254: peer proposal:
2024-07-03 12:19:23.714806 ike 1:TLS_FBR:6897:3254: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.714812 ike 1:TLS_FBR:6897:3254: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.714816 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: comparing selectors
2024-07-03 12:19:23.714822 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: matched by rfc-rule-2
2024-07-03 12:19:23.714827 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: phase2 matched by subset
2024-07-03 12:19:23.714833 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: accepted proposal:
2024-07-03 12:19:23.714838 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.714843 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.714848 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: autokey
2024-07-03 12:19:23.714854 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: incoming child SA proposal:
2024-07-03 12:19:23.714859 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: proposal id = 1:
2024-07-03 12:19:23.714864 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: protocol = ESP:
2024-07-03 12:19:23.714868 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: encapsulation = TUNNEL
2024-07-03 12:19:23.714873 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:23.714878 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=INTEGR, val=SHA256
2024-07-03 12:19:23.714882 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:23.714887 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ESN, val=NO
2024-07-03 12:19:23.714893 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: matched proposal id 1
2024-07-03 12:19:23.714897 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: proposal id = 1:
2024-07-03 12:19:23.714901 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: protocol = ESP:
2024-07-03 12:19:23.714905 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: encapsulation = TUNNEL
2024-07-03 12:19:23.714910 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:23.714914 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=INTEGR, val=SHA256
2024-07-03 12:19:23.714919 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:23.714923 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ESN, val=NO
2024-07-03 12:19:23.714927 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: lifetime=3600
2024-07-03 12:19:23.714954 ike 1:TLS_FBR: schedule auto-negotiate
2024-07-03 12:19:23.714959 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: replay protection enabled
2024-07-03 12:19:23.714965 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: set sa life soft seconds=3300.
2024-07-03 12:19:23.714969 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: set sa life hard seconds=3600.
2024-07-03 12:19:23.714992 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA selectors #src=1 #dst=1
2024-07-03 12:19:23.714998 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: src 0 7 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.715004 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: dst 0 7 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.715008 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: add dynamic IPsec SA selectors
2024-07-03 12:19:23.715028 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: added dynamic IPsec SA proxyids, existing serial 98
2024-07-03 12:19:23.715033 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: add IPsec SA: SPIs=9fb20b88/c2ebd85c
2024-07-03 12:19:23.715038 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA dec spi 9fb20b88 key 32:96E54106D2BB77F08E898CC92A94A8FDC3FF331ADE2FAA5F3724076509CB235F au
th 32:EC5D771FC5BDEE17C2AE8F9DFEEF77F0BD67CF42B3DA51B3E6EC76CC0A1110F6
2024-07-03 12:19:23.715044 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA enc spi c2ebd85c key 32:1441E30198DF61D7F31D741ECC32941E5DE0063E84E97111B686B3EE6DE96C05 au
th 32:3DE489B1A28B1A454EA8202F2906DBED6F63F758AFC0F449A390AA265E16E8A1
2024-07-03 12:19:23.715131 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: added IPsec SA: SPIs=9fb20b88/c2ebd85c
2024-07-03 12:19:23.715152 ike 1:TLS_FBR: HA send IKE connection add 10.0.90.49->10.0.90.50
2024-07-03 12:19:23.715166 ike 1:TLS_FBR:6897: HA send IKE SA add 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
2024-07-03 12:19:23.715174 ike 1:TLS_FBR: HA send IKEv2 message ID update send/recv=17/14
2024-07-03 12:19:23.715198 ike 1:TLS_FBR: IPsec SA cd8ff751/9fb20b84 hard expired 13 10.0.90.49->10.0.90.50:0 SA count 3 of 3
2024-07-03 12:19:23.715212 ike 1:TLS_FBR: IPsec SA 9fb20b84 delete failed: 2
2024-07-03 12:19:23.715217 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3245: sending delete for IPsec SA SPI 9fb20b84
2024-07-03 12:19:23.715225 ike 1:TLS_FBR:6897:3255: send informational
2024-07-03 12:19:23.715233 ike 1:TLS_FBR:6897: enc 0000000C030400019FB20B8403020103
2024-07-03 12:19:23.715253 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20250000000011000000502A0000342263CE9F2C00ED5A77445E4CEA050271CCD081C637682996546
080567AE798EDE3ED3318FDBB670BC4D22D5F02215B0F
2024-07-03 12:19:23.715274 ike 1:TLS_FBR:6897: sent IKE msg (INFORMATIONAL): 10.0.90.49:500->10.0.90.50:500, len=80, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
011
2024-07-03 12:19:23.738291 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:23.738316 ike 1: IKEv2 exchange=INFORMATIONAL_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000011 len=80
2024-07-03 12:19:23.738322 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20252800000011000000502A000034DAEDC685ED93B543838D87E7C4B9A7C60E552AEC3731E6F618BB8542D2D35FFC8
669BB9457B703509BF3796EB428EBCA
2024-07-03 12:19:23.738330 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:23.738372 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E202528000000110000002C2A0000040000000C03040001CD8FF751
2024-07-03 12:19:23.738380 ike 1:TLS_FBR:6897: received informational response
2024-07-03 12:19:23.738385 ike 1:TLS_FBR:6897:3255: processing informational acknowledgement
2024-07-03 12:19:23.738391 ike 1:TLS_FBR:6897: processing delete ack (proto 3)
2024-07-03 12:19:23.738397 ike 1:TLS_FBR: deleting IPsec SA with SPI cd8ff751
2024-07-03 12:19:23.738429 ike 1:TLS_FBR: IPsec SA with SPI cd8ff751 deletion failed: 2
2024-07-03 12:19:26.083269 ike 1:TLS_FBR: HA IPsec send ESP seqno=436, num=4
2024-07-03 12:19:28.690038 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:28.690057 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:28.690062 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:28.690069 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event
2024-07-03 12:19:33.700035 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:33.700052 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:33.700058 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:33.700065 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event

hbac · ‎07-08-2024

Hi @NRA,

Those are IKE debugs. Please run debug flow instead as per this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Regards,

Route LAN over VTI interface over IPSEC Tunnel

Nominate a Forum Post for Knowledge Article Creation