Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Phillor
New Contributor

Supposedly wrongly negotiated IPsec Phase 2 SA

Hello together,

 

I have a strange behaviour with one of our S2S IPsec tunnel.

First things first: Tunnel Phase1 and Phase2 is up. Routing and Policies are configured. Everything is working fine.

 

Then every other day one of the remote networks is not reachable anymore (the Logs show that the FortiGate is sending the traffic into the tunnel but there is no packet coming back as an answer).

This network is then not reachable for exactly one our (Phase2 Key lifetime) and then everything works again.

 

For me it looks like the FortiGate in this cases is not able to negotiate the SA with the remote gateway correctly. On the remote site there is a CheckPoint Firewall.

I was not able yet to get a deeper look at what happens in those cases under the hood because mostly everything is back to normal as soon as I'm connected to the FortiGate.

 

Maybe one of you knows this bevahiour and can tell me what the cause of this could be.

 

Thank you very much in advance!

2 REPLIES 2
vtsonev
Staff
Staff

Hi,

 

Is your IPsec bounded to an loopback interface on the Fortigate ? If so, please make sure you have IPv4 policy to allow traffic between the loopback and the wan interface. Maybe would be easier if you can share with us the phase1 and phase2 configuration of the tunnel in question.

 

Another useful output will be:

 

# diag vpn ike log-filter name (phase1 name of the tunnel)
# diag debug app ike -1
# diag debug enable

 

Best regards,

Vasil

Fortinet Technical Team Lead
NSE 1-4,7 Certified
Phillor

Thank you for your answer!

 

I think i found the problem...

I just saw 5 Minutes ago, that there are a lot of ESP errors. But only on this one VPN Tunnel. All the other tunnels are working fine without any errors.

Labels
Top Kudoed Authors