Hoping someone can provide some assistance with this s2s VPN issue. Despite following the configuration instructions from the admin guide/docs found online, the VPN does not establish. Thanks in advance.
FORTILAB # get system status Version: FortiGate-VM64-KVM v5.6.3,build1547,171204 (GA)
Fortinet17 # get system status Version: FortiGate-VM64-KVM v5.6.3,build1547,171204 (GA)
FORTILAB # show vpn ipsec phase1-interface edit "P_60.60.60.2_24" set interface "port2" set keylife 3600 set peertype any set proposal des-sha1 set comments "VPN: P_60.60.60.2_24" set dhgrp 2 set nattraversal disable set remote-gw 60.60.60.2 set psksecret ENC QokPe8p8leDF0K6h6XIghZD3k7iMHcPTYGlxh+dQhkqTxMchDtJs2/y5RnnPZxSqWOwDFtHz8eG4WHRVQDW1uKNmDX+dsdjtNX8xs3pHw0aIhJkSleekoflnovE3ro+mvCJ+JREOiGPpic1ju5WqXM/FSRvCfQwaFUObGw7k/vpJ9h/hBLoUHtJnnDKxRyYPLoEjhg==
FORTILAB # show vpn ipsec phase2-interface edit "Enc_domain" set phase1name "P_60.60.60.2_24" set proposal des-md5 set pfs disable set replay disable set keylifeseconds 3600 set src-subnet 192.168.203.0 255.255.255.0 set dst-subnet 192.168.206.0 255.255.255.0 ################################################### ################################################### Fortinet17 # show vpn ipsec phase1-interface edit "Peer_2.2.2.1_24" set interface "port1" set keylife 3600 set peertype any set proposal des-sha1 set comments "VPN: Peer_2.2.2.1_24" set dhgrp 2 set nattraversal disable set remote-gw 2.2.2.1 set psksecret ENC gjaiosyVsBk4oWjFFmnE7zPodPiW3CvPNg2qEQSey2nH0tmQXFp8f9HsoIKkJC1nHdHjSVlBncDhm/xWYBZM3g+oZRB7nGtX3kjd6WSnWCq7Dzq/c7QYjlWHrDJ7ifgMOcwHGhVYJjjTozRjz8UePWFZT9RxTe8OxFc1CmZ69/L84h4pgUImy9p1wmKaXmoLFhZJ0Q==
Fortinet17 # show vpn ipsec phase2-interface config vpn ipsec phase2-interface edit "Peer_2.2.2.1_24" set phase1name "Peer_2.2.2.1_24" set proposal des-md5 set pfs disable set replay disable set comments "Enc_dom" set keylifeseconds 3600 set src-subnet 192.168.206.0 255.255.255.0 set dst-subnet 192.168.203.0 255.255.255.0 ################################################### ###################################################
FORTILAB # diagnose debug application ike -1 Debug messages will be on for 30 minutes.
FORTILAB # 2018-02-14 05:11:53.396491 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:11:53.398972 ike 0: IKEv1 exchange=Identity Protection id=f270913d451c69ce/000000 0000000000 len=164 2018-02-14 05:11:53.402152 ike 0: in F270913D451C69CE00000000000000000110020000000000000000A40D 000034000000010000000100000028010100010000002001010000800B0001800C0E108001000180030001800200028 00400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000018 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:11:53.411599 ike 0:f270913d451c69ce/0000000000000000:70: responder: main mode get 1st message... 2018-02-14 05:11:53.414740 ike 0:f270913d451c69ce/0000000000000000:70: VID DPD AFCAD71368A1F1C9 6B8696FC77570100 2018-02-14 05:11:53.417965 ike 0:f270913d451c69ce/0000000000000000:70: VID FRAGMENTATION 4048B7 D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:11:53.421272 ike 0:f270913d451c69ce/0000000000000000:70: VID FRAGMENTATION 4048B7 D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:11:53.424853 ike 0:f270913d451c69ce/0000000000000000:70: VID FORTIGATE 8299031757 A36082C6A621DE00000000 2018-02-14 05:11:53.428116 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:11:53.430889 ike 0:f270913d451c69ce/0000000000000000:70: negotiation failure 2018-02-14 05:11:53.433562 ike Negotiate ISAKMP SA Error: 2018-02-14 05:11:53.435275 ike 0:f270 913d451c69ce/0000000000000000:70: no SA proposal chosen 2018-02-14 05:11:53.454719 ike shrank heap by 159744 bytes 2018-02-14 05:11:56.406032 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:11:56.408288 ike 0: IKEv1 exchange=Identity Protection id=f270913d451c69ce/000000 0000000000 len=164 2018-02-14 05:11:56.411278 ike 0: in F270913D451C69CE00000000000000000110020000000000000000A40D 000034000000010000000100000028010100010000002001010000800B0001800C0E108001000180030001800200028 00400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000018 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:11:56.420990 ike 0:f270913d451c69ce/0000000000000000:71: responder: main mode get 1st message... 2018-02-14 05:11:56.424704 ike 0:f270913d451c69ce/0000000000000000:71: VID DPD AFCAD71368A1F1C9 6B8696FC77570100 2018-02-14 05:11:56.429823 ike 0:f270913d451c69ce/0000000000000000:71: VID FRAGMENTATION 4048B7 D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:11:56.436686 ike 0:f270913d451c69ce/0000000000000000:71: VID FRAGMENTATION 4048B7 D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:11:56.444200 ike 0:f270913d451c69ce/0000000000000000:71: VID FORTIGATE 8299031757 A36082C6A621DE00000000 2018-02-14 05:11:56.450716 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:11:56.455736 ike 0:f270913d451c69ce/0000000000000000:71: negotiation failure 2018-02-14 05:11:56.460899 ike Negotiate ISAKMP SA Error: 2018-02-14 05:11:56.463786 ike 0:f270 913d451c69ce/0000000000000000:71: no SA proposal chosen 2018-02-14 05:12:02.415401 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:12:02.417794 ike 0: IKEv1 exchange=Identity Protection id=f270913d451c69ce/0000000000000000 len=164 2018-02-14 05:12:02.420876 ike 0: in F270913D451C69CE00000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B00018 00C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D 3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:12:02.430269 ike 0:f270913d451c69ce/0000000000000000:72: responder: main mode get 1st message... 2018-02-14 05:12:02.434483 ike 0:f270913d451c69ce/0000000000000000:72: VID DPD AFCAD71368A1F1C96B8696FC77570100 2018-02-14 05:12:02.440183 ike 0:f270913d451c69ce/0000000000000000:72: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:12:02.446656 ike 0:f270913d451c69ce/0000000000000000:72: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:12:02.452673 ike 0:f270913d451c69ce/0000000000000000:72: VID FORTIGATE 8299031757A36082C6A621DE00000000 2018-02-14 05:12:02.458249 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:12:02.463646 ike 0:f270913d451c69ce/0000000000000000:72: negotiation failure 2018-02-14 05:12:02.468904 ike Negotiate ISAKMP SA Error: 2018-02-14 05:12:02.471723 ike 0:f270913d451c69ce/0000000000000000:72: no SA proposal chosen 2018-02-14 05:12:14.424166 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:12:14.426519 ike 0: IKEv1 exchange=Identity Protection id=f270913d451c69ce/0000000000000000 len=164 2018-02-14 05:12:14.430148 ike 0: in F270913D451C69CE00000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B00018 00C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D 3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:12:14.448900 ike 0:f270913d451c69ce/0000000000000000:73: responder: main mode get 1st message... 2018-02-14 05:12:14.456448 ike 0:f270913d451c69ce/0000000000000000:73: VID DPD AFCAD71368A1F1C96B8696FC77570100 2018-02-14 05:12:14.464136 ike 0:f270913d451c69ce/0000000000000000:73: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:12:14.472022 ike 0:f270913d451c69ce/0000000000000000:73: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:12:14.482008 ike 0:f270913d451c69ce/0000000000000000:73: VID FORTIGATE 8299031757A36082C6A621DE00000000 2018-02-14 05:12:14.487424 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:12:14.490129 ike 0:f270913d451c69ce/0000000000000000:73: negotiation failure 2018-02-14 05:12:14.493134 ike Negotiate ISAKMP SA Error: 2018-02-14 05:12:14.494997 ike 0:f270913d451c69ce/0000000000000000:73: no SA proposal chosen diagnose debug disable
FORTILAB # 2018-02-14 05:12:24.413171 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:12:24.415442 ike 0: IKEv1 exchange=Identity Protection id=fa82a97ef8e72fd3/0000000000000000 len=164 2018-02-14 05:12:24.418499 ike 0: in FA82A97EF8E72FD300000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B00018 00C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D 3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:12:24.427245 ike 0:fa82a97ef8e72fd3/0000000000000000:74: responder: main mode get 1st message... 2018-02-14 05:12:24.430161 ike 0:fa82a97ef8e72fd3/0000000000000000:74: VID DPD AFCAD71368A1F1C96B8696FC77570100 2018-02-14 05:12:24.433034 ike 0:fa82a97ef8e72fd3/0000000000000000:74: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:12:24.436151 ike 0:fa82a97ef8e72fd3/0000000000000000:74: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:12:24.439450 ike 0:fa82a97ef8e72fd3/0000000000000000:74: VID FORTIGATE 8299031757A36082C6A621DE00000000 2018-02-14 05:12:24.442452 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:12:24.444819 ike 0:fa82a97ef8e72fd3/0000000000000000:74: negotiation failure 2018-02-14 05:12:24.447392 ike Negotiate ISAKMP SA Error: 2018-02-14 05:12:24.448866 ike 0:fa82a97ef8e72fd3/0000000000000000:74: no SA proposal chosen 2018-02-14 05:12:24.486593 ike shrank heap by 159744 bytes 2018-02-14 05:12:27.422778 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:12:27.425031 ike 0: IKEv1 exchange=Identity Protection id=fa82a97ef8e72fd3/0000000000000000 len=164 2018-02-14 05:12:27.427936 ike 0: in FA82A97EF8E72FD300000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:12:27.436887 ike 0:fa82a97ef8e72fd3/0000000000000000:75: responder: main mode get 1st message... 2018-02-14 05:12:27.440101 ike 0:fa82a97ef8e72fd3/0000000000000000:75: VID DPD AFCAD71368A1F1C96B8696FC77570100 2018-02-14 05:12:27.442982 ike 0:fa82a97ef8e72fd3/0000000000000000:75: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:12:27.445946 ike 0:fa82a97ef8e72fd3/0000000000000000:75: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:12:27.449360 ike 0:fa82a97ef8e72fd3/0000000000000000:75: VID FORTIGATE 8299031757A36082C6A621DE00000000 2018-02-14 05:12:27.452316 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:12:27.454701 ike 0:fa82a97ef8e72fd3/0000000000000000:75: negotiation failure 2018-02-14 05:12:27.457094 ike Negotiate ISAKMP SA Error: 2018-02-14 05:12:27.458533 ike 0:fa82a97ef8e72fd3/0000000000000000:75: no SA proposal chosen 2018-02-14 05:12:33.432115 ike 0: comes 60.60.60.2:500->2.2.2.1:500,ifindex=4.... 2018-02-14 05:12:33.434411 ike 0: IKEv1 exchange=Identity Protection id=fa82a97ef8e72fd3/0000000000000000 len=164 2018-02-14 05:12:33.437710 ike 0: in FA82A97EF8E72FD300000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2018-02-14 05:12:33.447192 ike 0:fa82a97ef8e72fd3/0000000000000000:76: responder: main mode get 1st message... 2018-02-14 05:12:33.450380 ike 0:fa82a97ef8e72fd3/0000000000000000:76: VID DPD AFCAD71368A1F1C96B8696FC77570100 2018-02-14 05:12:33.453597 ike 0:fa82a97ef8e72fd3/0000000000000000:76: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 2018-02-14 05:12:33.457145 ike 0:fa82a97ef8e72fd3/0000000000000000:76: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2018-02-14 05:12:33.460878 ike 0:fa82a97ef8e72fd3/0000000000000000:76: VID FORTIGATE 8299031757A36082C6A621DE00000000 2018-02-14 05:12:33.464129 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured 2018-02-14 05:12:33.466984 ike 0:fa82a97ef8e72fd3/0000000000000000:76: negotiation failure 2018-02-14 05:12:33.469752 ike Negotiate ISAKMP SA Error: 2018-02-14 05:12:33.471278 ike 0:fa82a97ef8e72fd3/0000000000000000:76: no SA proposal chosen diagnose debug application ike 0
################################################### ###################################################
Fortinet17 # diagnose debug application ike -1 Debug messages will be on for 30 minutes.
Fortinet17 # ike 0:Peer_2.2.2.1_24:42: out 517841D62F36B50A00000000000000000110020000000000000000A40D0000 34000000010000000100000028010100010000002001010000800B0001800C0E10800100018003000180020002800400020D00001 4AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F 00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:42: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=517841d6 2f36b50a/0000000000000000 ike 0:Peer_2.2.2.1_24:42: negotiation timeout, deleting ike 0:Peer_2.2.2.1_24: connection expiring due to phase1 down ike 0:Peer_2.2.2.1_24: deleting ike 0:Peer_2.2.2.1_24: deleted ike 0:Peer_2.2.2.1_24: schedule auto-negotiate ike 0:Peer_2.2.2.1_24: auto-negotiate connection ike 0:Peer_2.2.2.1_24: created connection: 0x9690770 3 60.60.60.2->2.2.2.1:500. ike 0:Peer_2.2.2.1_24:43: initiator: main mode is sending 1st message... ike 0:Peer_2.2.2.1_24:43: cookie 61c4c6f13a6f5e8f/0000000000000000 ike 0:Peer_2.2.2.1_24:43: out 61C4C6F13A6F5E8F00000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:43: sent IKE msg (ident_i1send): 60.60.60.2:500->2.2.2.1:500, len=164, id=61c4c6f13a6f5e8f/0000000000000000 ike 0:Peer_2.2.2.1_24:43: out 61C4C6F13A6F5E8F00000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:43: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=61c4c6f13a6f5e8f/0000000000000000 ike 0:Peer_2.2.2.1_24:43: out 61C4C6F13A6F5E8F00000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:43: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=61c4c6f13a6f5e8f/0000000000000000 ike 0:Peer_2.2.2.1_24:43: out 61C4C6F13A6F5E8F00000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:43: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=61c4c6f13a6f5e8f/0000000000000000 ike 0:Peer_2.2.2.1_24:43: negotiation timeout, deleting ike 0:Peer_2.2.2.1_24: connection expiring due to phase1 down ike 0:Peer_2.2.2.1_24: deleting ike 0:Peer_2.2.2.1_24: deleted ike 0:Peer_2.2.2.1_24: schedule auto-negotiate ike 0:Peer_2.2.2.1_24: auto-negotiate connection ike 0:Peer_2.2.2.1_24: created connection: 0x9690770 3 60.60.60.2->2.2.2.1:500. ike 0:Peer_2.2.2.1_24:44: initiator: main mode is sending 1st message... ike 0:Peer_2.2.2.1_24:44: cookie 0a6c38d9d2d5a4c8/0000000000000000 ike 0:Peer_2.2.2.1_24:44: out 0A6C38D9D2D5A4C800000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:44: sent IKE msg (ident_i1send): 60.60.60.2:500->2.2.2.1:500, len=164, id=0a6c38d9d2d5a4c8/0000000000000000 ike 0:Peer_2.2.2.1_24:44: out 0A6C38D9D2D5A4C800000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:44: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=0a6c38d9d2d5a4c8/0000000000000000 ike 0:Peer_2.2.2.1_24:44: out 0A6C38D9D2D5A4C800000000000000000110020000000000000000A40D00003400000001000000010000002801010001000000200 1010000800B0001800C0E10800100018003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3 0D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Peer_2.2.2.1_24:44: sent IKE msg (P1_RETRANSMIT): 60.60.60.2:500->2.2.2.1:500, len=164, id=0a6c38d9d2d5a4c8/0000000000000000
################################################### ###################################################
Hello ..innit..,
You need the following things configured:
1. VPN configuration (looks good, see above)
2. Routing for the networks inside the VPN tunnel
3. Policys to allow traffic through the VPN tunnel (see error msg "ignoring IKE request, no policy configured").
Kind regards, Michael
hi,
nice complete debug infos, thanks.
2018-02-14 05:11:53.428116 ike 0:P_60.60.60.2_24: ignoring IKE request, no policy configured- you're sure you've got an accepting policy for this tunnel? No policy, no phase1.
Thanks for the reply. I have not seen any reference for the need to create a policy in order to create a s2s VPN for version 5.6
The below link is not for v5.6, which is the one we are running.
I will keep investigating, and try to find out where and how these vpn fiewall rules needs to be implemented.
https://www.youtube.com/w...=245&v=8sDbUZAwzE0
FORTILAB # execute ping 192.168.203.253 PING 192.168.203.253 (192.168.203.253): 56 data bytes 64 bytes from 192.168.203.253: icmp_seq=0 ttl=64 time=1.7 ms 64 bytes from 192.168.203.253: icmp_seq=1 ttl=64 time=0.8 ms ^C64 bytes from 192.168.203.253: icmp_seq=2 ttl=64 time=0.7 ms ^C --- 192.168.203.253 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.7/1.0/1.7 ms
FORTILAB # get system arp Address Age(min) Hardware Addr Interface 192.168.10.2 0 00:50:00:00:01:00 port1 192.168.203.253 0 00:50:00:00:10:00 port6 2.2.2.2 0 aa:bb:cc:00:70:10 port2
FORTILAB # show sys interface config system interface edit "port1" set vdom "root" set ip 192.168.10.4 255.255.255.0 set allowaccess https http set type physical set snmp-index 1 next edit "port2" set vdom "root" set ip 2.2.2.1 255.255.255.0 set allowaccess ping set type physical set alias "outside" set role wan set snmp-index 2 next edit "port3" set vdom "root" set allowaccess ping set type physical set role lan set snmp-index 3 next edit "port4" set vdom "root" set ip 192.168.204.1 255.255.255.0 set allowaccess ping set type physical set snmp-index 4 next edit "port5" set vdom "root" set ip 192.168.205.1 255.255.255.0 set allowaccess ping https set type physical set description "LAN_192.168.205.0_24" set alias "LAN_192.168.205.0_24" set role lan set snmp-index 8 next edit "port6" set vdom "root" set ip 192.168.203.1 255.255.255.0 set allowaccess ping set type physical set description "LAN_192.168.203.0_24" set alias "LAN_192.168.203.0_24" set snmp-index 9 next edit "port7" set vdom "root" set type physical set snmp-index 10 next edit "port8" set vdom "root" set type physical set snmp-index 11 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 5 next edit "200.200.200.200" set vdom "root" set ip 200.200.200.200 255.255.255.0 set allowaccess ping set type loopback set alias "Loopback 200" set snmp-index 6 next edit "Peer_1.1.1.1_24" set vdom "root" set type tunnel set snmp-index 7 set interface "port2" next edit "P_60.60.60.2_24" set vdom "root" set type tunnel set snmp-index 12 set interface "port2" next end
FORTILAB #
FORTILAB # show firewall policy config firewall policy edit 1 set name "LAN_203_outbound" set uuid ca1023f8-0fdd-51e8-897e-14759a84f631 set srcintf "LAN_192.168.203.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 3 set name "LAN_203_to_204" set uuid e7471d2e-0fff-51e8-38ca-46acd3dd85e9 set srcintf "LAN_192.168.203.0_24" set dstintf "LAN_192.168.204.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "LAN_192.168.204.0_24" set action accept set schedule "always" set service "PING" next edit 2 set name "LAN_204_outbound" set uuid 4b1f92e2-0ffe-51e8-6752-bac72521b4b2 set srcintf "LAN_192.168.204.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_192.168.204.0_24" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 5 set name "LAN_205_to_204" set uuid 8c8b762e-101c-51e8-13a5-4703d05f66f7 set srcintf "LAN_192.168.205.0_24" set dstintf "LAN_192.168.204.0_24" set srcaddr "LAN_192.168.205.0_24" set dstaddr "LAN_192.168.204.0_24" set action accept set schedule "always" set service "PING" set utm-status enable set logtraffic all set ips-sensor "default" set ssl-ssh-profile "deep-inspection" next edit 6 set name "VPN_203_to_206" set uuid 9ab751d4-123b-51e8-1e97-04911dcf5d2f set srcintf "LAN_192.168.203.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "LAN_192.168.206.0_24" set action accept set schedule "always" set service "ALL" next end
FORTILAB # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] via 2.2.2.2, port2 C 2.2.2.0/24 is directly connected, port2 C 192.168.10.0/24 is directly connected, port1 C 192.168.203.0/24 is directly connected, port6 C 192.168.204.0/24 is directly connected, port4 C 192.168.205.0/24 is directly connected, port5 C 200.200.200.0/24 is directly connected, 200.200.200.200
FORTILAB # diag vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=P_60.60.60.2_24 ver=1 serial=2 2.2.2.1:0->60.60.60.2:0 bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=11 ilast=57 olast=57 ad=/0 itn-status=29 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=Enc_domain proto=0 sa=0 ref=1 serial=1 src: 0:192.168.203.0/255.255.255.0:0 dst: 0:192.168.206.0/255.255.255.0:0 ------------------------------------------------------ name=Peer_1.1.1.1_24 ver=1 serial=1 2.2.2.1:0->1.1.1.1:0 bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=11 ilast=57 olast=57 ad=/0 itn-status=29 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=203/24-to-204/24 proto=0 sa=0 ref=1 serial=1 src: 0:192.168.203.0/255.255.255.0:0 dst: 0:192.168.201.0/255.255.255.0:0
FORTILAB # diagnose debug application ike -1 Debug messages will be on for 23 minutes.
FORTILAB # ike 0:P_60.60.60.2_24:Enc_domain: IPsec SA connect 4 2.2.2.1->60.60.60.2:0 ike 0:P_60.60.60.2_24: ignoring request to establish IPsec SA, no policy configured ike shrank heap by 159744 bytes
FORTILAB # show firewall policy config firewall policy edit 1 set name "LAN_203_outbound" set uuid ca1023f8-0fdd-51e8-897e-14759a84f631 set srcintf "LAN_192.168.203.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 3 set name "LAN_203_to_204" set uuid e7471d2e-0fff-51e8-38ca-46acd3dd85e9 set srcintf "LAN_192.168.203.0_24" set dstintf "LAN_192.168.204.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "LAN_192.168.204.0_24" set action accept set schedule "always" set service "PING" next edit 2 set name "LAN_204_outbound" set uuid 4b1f92e2-0ffe-51e8-6752-bac72521b4b2 set srcintf "LAN_192.168.204.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_192.168.204.0_24" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 5 set name "LAN_205_to_204" set uuid 8c8b762e-101c-51e8-13a5-4703d05f66f7 set srcintf "LAN_192.168.205.0_24" set dstintf "LAN_192.168.204.0_24" set srcaddr "LAN_192.168.205.0_24" set dstaddr "LAN_192.168.204.0_24" set action accept set schedule "always" set service "PING" set utm-status enable set logtraffic all set ips-sensor "default" set ssl-ssh-profile "deep-inspection" next edit 6 set name "VPN_203_to_206" set uuid 9ab751d4-123b-51e8-1e97-04911dcf5d2f set srcintf "LAN_192.168.203.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "LAN_192.168.206.0_24" set action accept set schedule "always" set service "ALL" next end
FORTILAB # ike 0:P_60.60.60.2_24: gw negotiation timeout
so, now, there is a firewall policy for this traffic, however, the firewall keeps complaining about the lack of a policy, this is weird ...
FORTILAB # ike 0:P_60.60.60.2_24:Enc_domain: IPsec SA connect 4 2.2.2.1->60.60.60.2:0 ike 0:P_60.60.60.2_24: ignoring request to establish IPsec SA, no policy configured ike shrank heap by 159744 bytes
edit 6 set name "VPN_203_to_206" set uuid 9ab751d4-123b-51e8-1e97-04911dcf5d2f set srcintf "LAN_192.168.203.0_24" set dstintf "Outside_2.2.2.0_24" set srcaddr "LAN_102.168.203.0_24" set dstaddr "LAN_192.168.206.0_24" set action accept set schedule "always" set service "ALL" next end
I am pinging from host 192.168.203.253 to a host in 192.168.206.0/24 behing VPN peer 60.60.60.2
FORTILAB # execute ping 192.168.203.253 PING 192.168.203.253 (192.168.203.253): 56 data bytes 64 bytes from 192.168.203.253: icmp_seq=0 ttl=64 time=1.4 ms 64 bytes from 192.168.203.253: icmp_seq=1 ttl=64 time=0.6 ms ^C --- 192.168.203.253 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.6/1.0/1.4 ms
FORTILAB # get system arp Address Age(min) Hardware Addr Interface 192.168.10.2 0 00:50:00:00:01:00 port1 192.168.203.253 0 00:50:00:00:10:00 port6 2.2.2.2 0 aa:bb:cc:00:70:10 port2
uh-oh, there's a lot of confusion here...
Firstly, your list of interfaces does not correspond to the interfaces you use in the policies. For example in policy 1, you use "srcintf LAN_192.168.203.0_24" where I would expect "srcintf port6". How come?
Secondly, you did configure a policy but it allows traffic from LAN_203 to WAN, not from LAN_203 to LAN_206!
Maybe this wouldn't have happened if you had chosen more descriptive names for your interfaces. Lo and behold if one day the LAN address changes, or you host a second address range behind the tunnel...
Then, you ping a host in LAN_203...what does that prove? Wouldn't you test to ping a host on LAN_206 from the FGT, or better still, from a host on LAN_203?
OMG, I just noticed the FTNT video you quoted - it's about 'Policy Mode' VPN!
Policy mode VPNs were historically the first way to build an IPsec VPN in FortiOS. This has since long been replaced by 'Interface mode' or 'route based' VPNs. Which is the default when you create a VPN.
Could you please clarify which kind of VPN you created? If in Policy mode, I'd (strongly) recommend to delete it and rebuild in 'Interface mode'. The phase 1 you create will be supplied as a virtual interface, just like a VLAN interface. You will allow traffic from the LAN to the tunnel interface in a regular policy (regular: 'action'='accept').
..innit.. wrote:Thanks for the reply. I have not seen any reference for the need to create a policy in order to create a s2s VPN for version 5.6
The below link is not for v5.6, which is the one we are running.
I will keep investigating, and try to find out where and how these vpn fiewall rules needs to be implemented.
https://www.youtube.com/w...=245&v=8sDbUZAwzE0
Seems like this would be the appropriate video:
[size="5"]FortiGate Cookbook - Site-to-Site IPsec VPN (5.6)[/size]
https://www.youtube.com/watch?v=E44-IAvbhfI&list=PLLbbcH8MnXJ5UV22hUQRIv0AHSqp81Ifg
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.