I've only defined a single IKE Phase 1 configuration:
FGT60D-1 # get vpn ipsec phase1-interface
== [ ToAzureVPNGatew ]
name: ToAzureVPNGatew
FGT60D-1 # show vpn ipsec phase1-interface ToAzureVPNGatew
config vpn ipsec phase1-interface
edit "ToAzureVPNGatew"
:
set proposal aes128-sha1 aes256-sha1 3des-sha1
:
However, I'm seeing two IKE SAs:
FGT60D-1 # diagnose vpn ike gateway list
vd: root/0
name: ToAzureVPNGatew
version: 2
interface: dmz 4
addr: AA.AA.AA.AA:500 -> BB.BB.BB.BB:500
created: 379424s ago
auto-discovery: 0
IKE SA: created 2/25 established 2/25 time 0/842/21010 ms
IPsec SA: created 7/98 established 7/94 time 0/223/21010 ms
id/spi: 2740 234fa287f699414e/504f09d5b0d7fe35
direction: responder
status: established 22200-22200s ago = 0ms
proposal: aes128-sha1
SK_ei: 15f55274bc7f32a8-e2266cb2e13cf204
SK_er: 86e3f57606910c38-a23b93641e3367ae
SK_ai: 9cccc0b2ce15988f-34313af067da63f3-e50e078d
SK_ar: ca54ff1e9b8d24b8-f5b5d551b3f060b0-0fb89168
lifetime/rekey: 28800/6329
DPD sent/recv: 00000000/00000000
id/spi: 2739 cbc8ab59329e804e/ed77c4d903349b89
direction: responder
status: established 25876-25876s ago = 0ms
proposal: aes256-sha1
SK_ei: 6df7bc656f100b0e-654b49d89782da3a-f488f19af92f8d13-e5e37b4e7e342fee
SK_er: 31c2206c2a39b9c8-e9fa5c97cfcee553-8852c8ad6563f976-774a4c534b353ebc
SK_ai: 11bf68c622270bbf-235768750759ac25-5e603cd8
SK_ar: c366785a9d04a159-327f71b4854867ae-7adc726f
lifetime/rekey: 28800/2653
DPD sent/recv: 00000000/00000000
The obvious explanation is that the remote peer (Initiator, actually, Azure's VPN Gateway configured for Forced Tunneling, ie. all non-local tunneled to on-premise) requested two SA, one using "aes128-sha1" and another using "aes256-sha1". But, why would the remote peer do that?
Also, in the printout:
IKE SA: created 2/25 established 2/25 time 0/842/21010 ms
IPsec SA: created 7/98 established 7/94 time 0/223/21010 ms
what do 25, 94; and, 'time' numbers mean?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
More pertinently, if there's a two sets of Phase 2 SAs, each negotiated by a different Phase 1, how would Fortigate chose which to use?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.