Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Two IKE SAs for a single Phase1 configuration - why?

I've only defined a single IKE Phase 1 configuration:

FGT60D-1 # get vpn ipsec phase1-interface
== [ ToAzureVPNGatew ]
name: ToAzureVPNGatew

 

FGT60D-1 # show vpn ipsec phase1-interface ToAzureVPNGatew
config vpn ipsec phase1-interface
    edit "ToAzureVPNGatew"
:

 

        set proposal aes128-sha1 aes256-sha1 3des-sha1
:

However, I'm seeing two IKE SAs:

FGT60D-1 # diagnose vpn ike gateway list

vd: root/0
name: ToAzureVPNGatew
version: 2
interface: dmz 4
addr: AA.AA.AA.AA:500 -> BB.BB.BB.BB:500
created: 379424s ago
auto-discovery: 0
IKE SA: created 2/25 established 2/25 time 0/842/21010 ms
IPsec SA: created 7/98 established 7/94 time 0/223/21010 ms

  id/spi: 2740 234fa287f699414e/504f09d5b0d7fe35
  direction: responder
  status: established 22200-22200s ago = 0ms
  proposal: aes128-sha1
  SK_ei: 15f55274bc7f32a8-e2266cb2e13cf204
  SK_er: 86e3f57606910c38-a23b93641e3367ae
  SK_ai: 9cccc0b2ce15988f-34313af067da63f3-e50e078d
  SK_ar: ca54ff1e9b8d24b8-f5b5d551b3f060b0-0fb89168
  lifetime/rekey: 28800/6329
  DPD sent/recv: 00000000/00000000

  id/spi: 2739 cbc8ab59329e804e/ed77c4d903349b89
  direction: responder
  status: established 25876-25876s ago = 0ms
  proposal: aes256-sha1
  SK_ei: 6df7bc656f100b0e-654b49d89782da3a-f488f19af92f8d13-e5e37b4e7e342fee
  SK_er: 31c2206c2a39b9c8-e9fa5c97cfcee553-8852c8ad6563f976-774a4c534b353ebc
  SK_ai: 11bf68c622270bbf-235768750759ac25-5e603cd8
  SK_ar: c366785a9d04a159-327f71b4854867ae-7adc726f
  lifetime/rekey: 28800/2653
  DPD sent/recv: 00000000/00000000

The obvious explanation is that the remote peer (Initiator, actually, Azure's VPN Gateway configured for Forced Tunneling, ie. all non-local tunneled to on-premise) requested two SA, one using "aes128-sha1" and another using "aes256-sha1". But, why would the remote peer do that?

 

Also, in the printout:

IKE SA: created 2/25 established 2/25 time 0/842/21010 ms
IPsec SA: created 7/98 established 7/94 time 0/223/21010 ms

what do 25, 94; and, 'time' numbers mean?

1 REPLY 1
AlexFeren
New Contributor III

More pertinently, if there's a two sets of Phase 2 SAs, each negotiated by a different Phase 1, how would Fortigate chose which to use?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors