Why would an IPsec tunnel not come up?
I have configured such a tunnel copying a production setup I know to be working.
The symptom I am troubleshooting is why the new tunnel interface remains inactive.
I can ping from the 40F CLI over the internet to the underlay tunnel endpoint (.172)
This is confirmed with traceroute showing path to the internet (192.168.1.1 is the Starlink next hop)
Starlink obviously implements NAT on the way out to the net.
The new tunnel interface remains inactive.
Sniffer trace
diagnose sniffer packet wan 'host 203.57.169.172'
Show no packets IKE or otherwise being sent (or received)
It will show the pings out and back if I ping the .172 tunnel destination as mentioend above.
What am I doing wrong?
Please let me know if you want other CLI/GUI outputs.
Much much appreciate any help.....
Solved! Go to Solution.
Hi @slouw ,
Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.
Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...
Best regards,
Can you ping/reach the remote gateway? You may follow the troubleshooting steps on below article to begin.
Please let us know at which stage your tunnel is stuck and then we can check further. I would recommend you to check the VPN configuration is matching on both sides as a first step.
Since
1. The tunnel state is inactive/down; and
2. There is no attempt to dial out and initiate IKE
I end up quickly at step 4 of the above mentioned Troubleshooting guide. See below.
Please note the question in this post is very specific - why will my tunnel interface not come up. It remains down.
Thanking you.....
There is no interested traffic towards the tunnel could be one reason. Can you initiate a Ping towards the remote site protected resources and check if the tunnel comes up. Please make sure there is a policy allowing traffic via the tunnel interface.
Its not clear if auto-negotiate is enabled, please enable the same to bring up the tunnel autoatically.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-the-FortiGate-unit-to-bring-up-IPSec-V...
This is not solved!
Sorry I cannot see how to "Unsolve" this post.
My bad.
Thanks @srajeswaran I have tried this but no change.
Hello
This sometimes selectors shows down when you check tunnel status.
get vpn ipsec tunnel summary
Please check this output and check if tunnel is up or not.
Mayank Sharma
Hi @slouw,
Since there is no traffic/debug outputs. Please make sure the interface is correct. I see the working one is using wan2 and the new one is using wan. Please make sure FortiGate can reach the remote peer via wan interface. You can run this command to verify the static route "get router info routing-table detail 203.57.169.172".
Regards,
Since there is no traffic/debug outputs. Please make sure the interface is correct.
I see the working one is using wan2 and the new one is using wan.
I confirm the control setup does indeed use interface wan2 whereas my broken test setup uses wan.
Please make sure FortiGate can reach the remote peer via wan interface.
Is the evidence below sufficient evidence that the underlay far end is available via the internet?
This ping is travelling out over a Starlink unit and back over the internet
You can run this command to verify the static route "get router info routing-table detail 203.57.169.172".
See below
Can you share the below outputs?
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
show firewall policy (please share the policy for VPN )
diagnose vpn tunnel list
diagnose vpn tunnel list name <vpn name>
get ipsec tunnel list
get vpn ipsec tunnel details
get vpn ipsec stats tunnel
Then collect debug as below.
diagnose vpn ike log filter clear
diagnose vpn ike log filter dst_addr4 <peer IP>
diagnose debug application ike -1
diagnose debug enable
diagnose vpn ike gateway clear <vpn name>
Once you see the logs, disable debug.
diagnose debug disable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.