Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎07-06-2005 01:06 PM

VPN tunnel not passing traffic

Hello, I need help debugging VPN. A tunnel is established but not traffic is passed. One end is a FG100 the other is a netgear router. Both devices report the tunnel up but no traffic is passed. The netgear is setup correct because it was working with another netgear before i replaced it with the Fortinet. I opened a ticket with Fortinet support but no one has even looked at it in over 24 hours. I called in 2 times and after being on hold for over 1 hour i left a message. Nobody has called me back. Below is some debug and config info from the fortinet: Unable to ping or trace the endpoint of the VPN tunnel. Fortigate 100 shows tunnel is up in the IPSEC status monitor, NAT is not enabled. The other side has a netgear router that shows the vpn is also up. No traffic is being exchanged between the 2. Here' s some debug output: Fortigate-100 # dia vpn tunnel list tunnel[4]:lexmar2, gateway:69.2.xxx.xxx:500, hub=, option=0 eroute[2]:{[192.168.1.*]}->{[192.168.6.*]} channel[2]:64.60.xxx.xxx,natt=0,state=2,keepalive=0,oif=3 sa[3]:mtu=1426, cur_bytes=14248, timeout=42623275 itdb[1]:mtu=1426, cur_bytes=0, cur_packets=0, spi=654321, replay=0 AES=33333300000000000000000000000000 iv=4e9f7f46c6ebf24bc993b95237746868 SHA1_HMAC=3333330000000000000000000000000000000000 otdb[1]:mtu=1426, cur_bytes=8704, cur_packets=99, spi=123456, replay=0 AES=33333300000000000000000000000000 iv=976b744e76b70ab2d6104d1d2c66fc56 SHA1_HMAC=3333330000000000000000000000000000000000 Fortigate-100 # Fortigate-100 # show vpn ipsec manualkey lexmar2 config vpn ipsec manualkey edit " lexmar2" set authentication sha1 set encryption aes128 set gateway 69.2.xxx.xxx set localspi 0x654321 set remotespi 0x123456 set authkey ' ENC U59SU23atT+16QcTD14OS7I2lPVUhzfXQnL/grFBG+5HaRkQVCjBOOCOjsj+iUGn5lpi8QF9QAiTbmhiHwfNhqURqbU3aAIFYlsKu7aiEX4eEcNJ' set enckey ' ENC RgQfCZtIm6n+WSFkgCVMbW4hQS+RVUESsRxN8G9RBR4jQOBEJN4JXSuZKPu2Wkn6waD3hwV3OcG0qj8PfSZVKffIDSwKcofkW6bP8JdCsE/MmxKJ' next end Fortigate-100 # Fortigate-100 # diagnose vpn ipsec status IPSec Status tun=1,chan=1,ref=2, info=2,dialup=0,sa=1,tdb=2,ctx=0,snd=0,hub=0 3DES is using ASIC CP2. DES is using ASIC CP2. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 110 0 0 204662 0 0 0 0 0 Fortigate-100 #
3052
0 Kudos
9 REPLIES 9
Not applicable

Created on ‎07-07-2005 02:39 AM

I gather you ticked enable inboud / outbound traffic? Typically you need to enable inboud nat to allow traffic to go through the tunnel. my .2 cents. Regards, Eric
1495
0 Kudos
Not applicable

Created on ‎07-11-2005 12:44 PM

yes i did that, still not passing traffic, the vpn is up according to the monitor and and session table. the most frustrating part is that support has not answered the tiket i opened with them in 5 business days by now. -Harry
1496
0 Kudos
Not applicable
In response to

Created on ‎07-11-2005 02:38 PM

I hate it when nobody ever answer the questions in the support dept. I see that you have a manual key setup. Since both show fixed IP' s, how about trying agressive mode and have the fortinet boz receive the Netgear' s tunnel, I had so many trouble trying main or manual mode with NON-Fortinet boxes. The setup will be: Fortinet, Agressive Mode. Dial-Up User, do local and remote ID' s, try same IPSEC and IKE times 28800 both, PFS enabled and no dead peer detection or replay detection. Don' t forget the In-Ext Policy using the Encryption tunnel. Netgear, Agressive Mode using all the ID and encryption data as the Fortigate... My .5 cents..
1496
0 Kudos
Not applicable

Created on ‎07-12-2005 01:24 AM

I upgraded the firmware to latest MR10 Build 456 and the manual keys still did not work. I am now getting it however to use the auto mode and i can establish the Phase1 connectivity, however phase2 still does not work. I tried playing around with the settings but i am not familiar on how to view the session setup logs for phase2 and see where it is failing.
1496
0 Kudos
Not applicable

Created on ‎07-12-2005 05:27 PM

Have to tried different encrytion mode other than AES? none or MD5/DES
1496
0 Kudos
Not applicable

Created on ‎07-15-2005 07:24 AM

Hi, Just checking, did you forward your NAT from NETGear over to the firewall? This may be the reason.
1496
0 Kudos
pace
New Contributor

Created on ‎07-18-2005 01:58 AM

Hi, what kind of internet connections do you use ? i discovered many problems with pppoe based dsl connections triggered by MTU Size for example: Leased Line <-----------> DSL established connection >but no ica or rdp sessions across this connection -> we reduced the MTU ! than everythings working normally btw. thats not a fortigate problem :) Regards
1496
0 Kudos
Not applicable

Created on ‎07-18-2005 10:36 AM

this issue was solved by upgrading to build 456 and scaling down the encryption to 3DES in Auto key mode. A reboot of both firewalls was required. -Harry
1496
0 Kudos
Not applicable

Created on ‎07-18-2005 10:37 AM

the internet connections was a fractional T1 on the netgear end and a full T1 on the fortinet end. Both had static IP' s
1496
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.