Hello, I'm not getting traffic in an ipsec vpn tunnel (HUB-SPOKE). When running the command "diagnose debug flow filter addr 192.168.1.254 192.168.13.254 and" on my HUB I get:
id=20085 trace_id=204199 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface HUB-WAN05, tun_id=0.0.0.0"
id=20085 trace_id=204199 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel HUB-WAN05_0"
id=20085 trace_id=204199 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"
HUB-WAN05 phase2-interface configuration is the same as HUB-WAN04 (HUB-WAN04 works perfectly)
edit "HUB-WAN04"
set phase1name "HUB-WAN04"
set proposal aes256-sha256
set dhgrp 5
set replay disable
set keepalive enable
next
edit "HUB-WAN05"
set phase1name "HUB-WAN05"
set proposal aes256-sha256
set dhgrp 5
set replay disable
set keepalive enable
next
on both HUB-WAN04 and HUB-WAN05 the Phase 2 Selectors LOCAL ADDRESS and REMOTE ADDRESS are set to subnet 0.0.0.0/0.0.0.0
When analyzing dialup connection(s) I notice that for HUB-WAN04 the Proxy ID Destination field is set to 0.0.0.0-255.255.255.255 and for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH). I believe this is the problem and traffic from 192.168.1.254 to 192.168.13.254 is being blocked, as traffic is only allowed for the SPOKE IP 10.253.212.2.
Any ideas on how to make the Proxy ID Destination of HUB-WAN05 the same as that of HUB-WAN04 (0.0.0.0-255.255.255.255)?
I'm using firmware 7.0.13
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
> I notice[...] for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH).
This is exactly why you get "No matching IPsec selector".
Note the final selectors of an active SA can be narrowed down during negotiations in order to agree with the other side. So if you can inspect the config of the other side, look at what their selector config looks like. If you can't inspect it, tear down the tunnel, enable ike debug, and check what selector offer the other side is sending during a new negotiation.
> I notice[...] for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH).
This is exactly why you get "No matching IPsec selector".
Note the final selectors of an active SA can be narrowed down during negotiations in order to agree with the other side. So if you can inspect the config of the other side, look at what their selector config looks like. If you can't inspect it, tear down the tunnel, enable ike debug, and check what selector offer the other side is sending during a new negotiation.
Thanks for your tip, there really was a wrong configuration on the SPOKE side
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.