Why would an IPsec tunnel not come up?
I have configured such a tunnel copying a production setup I know to be working.
The symptom I am troubleshooting is why the new tunnel interface remains inactive.
I can ping from the 40F CLI over the internet to the underlay tunnel endpoint (.172)
This is confirmed with traceroute showing path to the internet (192.168.1.1 is the Starlink next hop)
Starlink obviously implements NAT on the way out to the net.
The new tunnel interface remains inactive.
Sniffer trace
diagnose sniffer packet wan 'host 203.57.169.172'
Show no packets IKE or otherwise being sent (or received)
It will show the pings out and back if I ping the .172 tunnel destination as mentioend above.
What am I doing wrong?
Please let me know if you want other CLI/GUI outputs.
Much much appreciate any help.....
Solved! Go to Solution.
Hi @slouw ,
Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.
Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...
Best regards,
Thank you @srajeswaran I do appreciate continued help.
1/2 CLI outputs
Outputs are supplied as requested for the following:
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
show firewall policy (please share the policy for VPN )
diagnose vpn tunnel list
diagnose vpn tunnel list name <vpn name>
get vpn ipsec stats tunnel
These outputs are not available:
Similar outputs are supplied:
* get ipsec tunnel list (get vpn ipsec tunnel summary)
* get vpn ipsec tunnel details (get vpn ipsec tunnel details)
2/2 Debug outputs
As a courtesy and for completeness sake I went through the motions of collecting debugs. These was NO output as expected. I have tried this several times now with no output as a result.
Same with sniffer output. The only sniffer output I ever see are pings the the far end underlay address which I generate. Nothing else. No IKE packets as I would expect from time to time to initiate a connection. Nothing
When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?
When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?
The output below was taken with added policy rule as requested in later post. See post below - "You also need a policy from your LAN interface"
I left he debugs to run for some time and got this recurring pattern every 15mins
You also need a policy from your LAN interface (where your local resources are connected ) to the VPN interface (pri_bms). Please create this policy and the reverse and then run the debug.
I also believe the Phase2 config is incomplete, for example I don't see the dhgroup, not sure if there is a default value.
Please add policy from LAN to pri_bms not LAN to WAN.
Please note the policy setting is yes for working control and no for my new install.
What is the significance?
This was taken after the LAN-WAN policy entry was made above
Hi @slouw ,
Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.
Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...
Best regards,
Eukerka!
We have debugs!!!!
Thanks to all who helped very grateful thank you.
Case closed
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.