VPN is UP but no incoming traffic

subkhanave · ‎05-11-2015

Hi Everyone,

I'm a noob here, using firmware v5.0,build0310 (GA Patch 11)

I am building vpn connection to Palo Alto device, the VPN is up but when my partner tried to telnet/traceroute there's no traffic incoming. I've checked the SPI it is the same with Palo Alto, then turned on packet capture, diag sniffer, and diag debug but there's no clue what is going on here.

Below is P1 and P2 settings

MyFortigate01 (V-DMZ) # sh vpn ipsec phase1-interface MyPartner_P1 config vpn ipsec phase1-interface edit "MyPartner_P1" set interface "DS_Inet_v201" set nattraversal disable set dhgrp 2 set keylife 86400 set proposal 3des-md5 set dpd disable set remote-gw 185.35.88.254 set psksecret ENC bWFpboKyoeJeP6PCYbX2rb7ABwcFBjnlZpZWZm4oLaxYEQxS/bGsU6R7u/ytXrAKQyYCKLACxsYB+RwC+YSdWvcRFGPJnJqCT6bVtWIwSCYdfGWIHJQNDEA3RKfst13W+htTBZfMTRDwvkAxRRhQeL2Zsnna6IQn0+iX17qolopXu0A48ls0YuXZvhI/9Yp4k4Gh3g== next end MyFortigate01 (V-DMZ) # sh vpn ipsec phase2-interface MyPartner-SOA_P2 config vpn ipsec phase2-interface edit "MyPartner-SOA_P2" set comments "172.30.228.77<>185.35.88.1" set dst-addr-type ip set keepalive enable set pfs disable set phase1name "MyPartner_P1" set proposal 3des-md5 set replay disable set src-addr-type ip set dst-start-ip 185.35.88.1 set keylifeseconds 3600 set src-start-ip 172.30.228.77 next end MyFortigate01 (V-DMZ) # diagnose vpn tunnel list name arg please input args MyFortigate01 (V-DMZ) # diagnose vpn tunnel list name MyPartner_P1 list ipsec tunnel by names in vd 3 ------------------------------------------------------ name=MyPartner_P1 ver=1 serial=58 112.215.81.220:0->185.35.88.254:0 lgwy=static tun=intf mode=auto bound_if=91 proxyid_num=2 child_num=0 refcnt=7 ilast=3093 olast=3093 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=73750 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=MyPartner-SOA_P2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=11 src: 0:172.30.228.77:0 dst: 0:185.35.88.1:0 SA: ref=3 options=0000000d type=00 soft=0 mtu=1436 expire=701 replaywin=0 seqno=1 life: type=01 bytes=0/0 timeout=3553/3600 dec: spi=f3c212f2 esp=3des key=24 1d56b4d7e8d70af4ff65d6658c4c37f3eac1d6c22b93e44b ah=md5 key=16 30c74e94456a2dc9c091d6875b43018e enc: spi=b431a71c esp=3des key=24 5b4a2717dcf2c78475d27b573da0e9eac4d83e79b98a7730 ah=md5 key=16 8ca24cb29ec0d6b5e184e5808e0ce938 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=185.35.88.254 npu_lgwy=112.215.81.220 npu_selid=158 proxyid=MyPartner_P2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=10 src: 0:10.161.122.26:0 dst: 0:185.35.88.1:0 SA: ref=3 options=0000000c type=00 soft=0 mtu=1436 expire=454 replaywin=0 seqno=1 life: type=01 bytes=0/0 timeout=3548/3600 dec: spi=f3c212cf esp=3des key=24 86f9644aa05a7c4d9f1e8d5801b84e6f80e5114a068076c6 ah=md5 key=16 58d8cda6023d62110f7906052a7ff66b enc: spi=9e52ac3d esp=3des key=24 5ff585a18dc7c36893039a761eb7eac200e29fbc4398758e ah=md5 key=16 3f108252e54ad0d37a7a899832ff0ebc dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=185.35.88.254 npu_lgwy=112.215.81.220 npu_selid=147 MyFortigate01 (V-DMZ) #

and below is debug log on phase 2

2015-05-11 19:27:05 ike 3:MyPartner_P1:MyPartner-SOA_P2: IPsec SA connect 91 112.215.81.220->185.35.88.254:0 2015-05-11 19:27:05 ike 3:MyPartner_P1:MyPartner-SOA_P2: using existing connection 2015-05-11 19:27:05 ike 3:MyPartner_P1:MyPartner-SOA_P2: config found 2015-05-11 19:27:05 ike 3:MyPartner_P1:MyPartner-SOA_P2: IPsec SA connect 91 112.215.81.220->185.35.88.254:500 negotiating 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: cookie 940ff124dd773674/604fe7fe28c5db83:a166b53a 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: initiator selectors 0 0:172.30.228.77:0:0->0:185.35.88.1:0:0 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: enc 940FF124DD773674604FE7FE28C5DB8308102001A166B53A0000008C010000141EF34CABF5C78FDC8329F7FA62DC0EDD0A00003000000001000000010000002401030401F3C212F200000018010300008001000180020E10800400018005000105000014850EE1B98E60CF0D63120811B35B74ED0500000C01000000AC1EE44D0000000C01000000B9235801 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: out 940FF124DD773674604FE7FE28C5DB8308102001A166B53A00000094DB2ABE5ADAEA5E7C6592D6B4DE26BDE56A6B56127FE308B415BB5C03468C4089E62F853D877563D5D26929A50D851A061A85887B2926F2CB9CF62D5883E51B3514E4529027C9FE0739DBB539CAB5844F0459C24F7669DC9B04C175363D2A0B7CA96A57D4B09E8BBF1EE160F2D39364BBAE1E0C6A308BC21E 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: sent IKE msg (quick_i1send): 112.215.81.220:500->185.35.88.254:500, len=148, id=940ff124dd773674/604fe7fe28c5db83:a166b53a 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: dec 940FF124DD773674604FE7FE28C5DB8308102001A166B53A0000009401000014A70F80FC2178CDE8EC8C44D1E89BEAC00A00003000000001000000010000002401030401B431A71C00000018010300008001000180020E108004000180050001050000146A4972E8E4C6C6921A77C80C7FF2D2440500000C01000000AC1EE44D0000000C01000000B923580104CD8EF6D3D61908 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: responder selectors 0:172.30.228.77:0->0:185.35.88.1:0 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: my proposal: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: proposal id = 1: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: protocol id = IPSEC_ESP: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: trans_id = ESP_3DES 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: encapsulation = ENCAPSULATION_MODE_TUNNEL 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: type = AUTH_ALG, val=MD5 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: incoming proposal: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: proposal id = 1: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: protocol id = IPSEC_ESP: 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: trans_id = ESP_3DES 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: encapsulation = ENCAPSULATION_MODE_TUNNEL 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: type = AUTH_ALG, val=MD5 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: enc 940FF124DD773674604FE7FE28C5DB8308102001A166B53A0000003000000014E7CEB06C9871B0C2C3E219E6FE41A34B 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: out 940FF124DD773674604FE7FE28C5DB8308102001A166B53A00000034DB6752E9DB4C6A912D2C602D9A793E01057E9AAEAE9CA035 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397: sent IKE msg (quick_i2send): 112.215.81.220:500->185.35.88.254:500, len=52, id=940ff124dd773674/604fe7fe28c5db83:a166b53a 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: SA life soft seconds=3553. 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: SA life hard seconds=3600. 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: IPsec SA selectors #src=1 #dst=1 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: src 0 1 0:172.30.228.77:0 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: dst 0 1 0:185.35.88.1:0 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: add IPsec SA: SPIs=f3c212f2/b431a71c 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: IPsec SA dec spi f3c212f2 key 24:1D56B4D7E8D70AF4FF65D6658C4C37F3EAC1D6C22B93E44B auth 16:30C74E94456A2DC9C091D6875B43018E 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: IPsec SA enc spi b431a71c key 24:5B4A2717DCF2C78475D27B573DA0E9EAC4D83E79B98A7730 auth 16:8CA24CB29EC0D6B5E184E5808E0CE938 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: added IPsec SA: SPIs=f3c212f2/b431a71c 2015-05-11 19:27:05 ike 3:MyPartner_P1:1990397:MyPartner-SOA_P2:5494420: sending SNMP tunnel UP trap

License is die days ago so I'd prefer looking for help on the community forum

I'm using fortigate 3600c

Kindly need your help :)

Christopher_McMullan · ‎05-11-2015

Does the traffic match the Phase 2 selectors?

Regards, Chris McMullan Fortinet Ottawa

subkhanave · ‎05-11-2015

Christopher McMullan_FTNT wrote:
Does the traffic match the Phase 2 selectors?

Thanks Chris for responding

It should be, since I'm getting no incoming traffic I couldn't make sure

Now I have recreate everything parallel with my partner on Palo Alto device, and I see incoming traffic now. Not sure what was changed, strange though.

Now I'm facing problem with static route, should other static route distance lower than default route? I'm using value 10 of all static route

For historical story, I previously set up vdom root as NAT device over all vdoms. Now I migrate one vdom so it direct connect to ISP router (no need NAT-T anymore).

rwpatterson · ‎05-11-2015

The default gateway being the route of last choice should always have a higher distance than the other static routes.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

subkhanave · ‎05-12-2015

rwpatterson wrote:
The default gateway being the route of last choice should always have a higher distance than the other static routes.

Thank you for your reply

One question, is it right remote port value=0 in IPsec Monitor, should it be 500? I used to see 4500 (NAT-T)