- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does my new tunnel interface not come up or at least try and negotiate?
Why would an IPsec tunnel not come up?
I have configured such a tunnel copying a production setup I know to be working.
The symptom I am troubleshooting is why the new tunnel interface remains inactive.
I can ping from the 40F CLI over the internet to the underlay tunnel endpoint (.172)
This is confirmed with traceroute showing path to the internet (192.168.1.1 is the Starlink next hop)
Starlink obviously implements NAT on the way out to the net.
The new tunnel interface remains inactive.
Sniffer trace
diagnose sniffer packet wan 'host 203.57.169.172'
Show no packets IKE or otherwise being sent (or received)
It will show the pings out and back if I ping the .172 tunnel destination as mentioend above.
What am I doing wrong?
Please let me know if you want other CLI/GUI outputs.
Much much appreciate any help.....
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @slouw ,
Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.
Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...
Best regards,
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @srajeswaran I do appreciate continued help.
1/2 CLI outputs
Outputs are supplied as requested for the following:
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
show firewall policy (please share the policy for VPN )
diagnose vpn tunnel list
diagnose vpn tunnel list name <vpn name>
get vpn ipsec stats tunnel
These outputs are not available:
Similar outputs are supplied:
* get ipsec tunnel list (get vpn ipsec tunnel summary)
* get vpn ipsec tunnel details (get vpn ipsec tunnel details)
2/2 Debug outputs
As a courtesy and for completeness sake I went through the motions of collecting debugs. These was NO output as expected. I have tried this several times now with no output as a result.
Same with sniffer output. The only sniffer output I ever see are pings the the far end underlay address which I generate. Nothing else. No IKE packets as I would expect from time to time to initiate a connection. Nothing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?
The output below was taken with added policy rule as requested in later post. See post below - "You also need a policy from your LAN interface"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I left he debugs to run for some time and got this recurring pattern every 15mins
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You also need a policy from your LAN interface (where your local resources are connected ) to the VPN interface (pri_bms). Please create this policy and the reverse and then run the debug.
I also believe the Phase2 config is incomplete, for example I don't see the dhgroup, not sure if there is a default value.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please add policy from LAN to pri_bms not LAN to WAN.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please note the policy setting is yes for working control and no for my new install.
What is the significance?
This was taken after the LAN-WAN policy entry was made above
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @slouw ,
Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.
Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...
Best regards,
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eukerka!
We have debugs!!!!
Thanks to all who helped very grateful thank you.
Case closed
- « Previous
-
- 1
- 2
- Next »