Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mateusguilherme
New Contributor II

no traffic in IPSEC vpn tunnel (HUB-SPOKE)

Hello, I'm not getting traffic in an ipsec vpn tunnel (HUB-SPOKE). When running the command "diagnose debug flow filter addr 192.168.1.254 192.168.13.254 and" on my HUB I get:

 

 

id=20085 trace_id=204199 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface HUB-WAN05, tun_id=0.0.0.0"
id=20085 trace_id=204199 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel HUB-WAN05_0"
id=20085 trace_id=204199 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

 

 

HUB-WAN05 phase2-interface configuration is the same as HUB-WAN04 (HUB-WAN04 works perfectly)

 

 

edit "HUB-WAN04"
set phase1name "HUB-WAN04"
set proposal aes256-sha256
set dhgrp 5
set replay disable
set keepalive enable
next

edit "HUB-WAN05"
set phase1name "HUB-WAN05"
set proposal aes256-sha256
set dhgrp 5
set replay disable
set keepalive enable
next

 

 

on both HUB-WAN04 and HUB-WAN05 the Phase 2 Selectors LOCAL ADDRESS and REMOTE ADDRESS are set to subnet 0.0.0.0/0.0.0.0

 

When analyzing dialup connection(s) I notice that for HUB-WAN04 the Proxy ID Destination field is set to 0.0.0.0-255.255.255.255 and for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH). I believe this is the problem and traffic from 192.168.1.254 to 192.168.13.254 is being blocked, as traffic is only allowed for the SPOKE IP 10.253.212.2.

Any ideas on how to make the Proxy ID Destination of HUB-WAN05 the same as that of HUB-WAN04 (0.0.0.0-255.255.255.255)?

I'm using firmware 7.0.13

 

 

 

1 Solution
pminarik
Staff
Staff

 I notice[...] for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH).

 

This is exactly why you get "No matching IPsec selector".

 

Note the final selectors of an active SA can be narrowed down during negotiations in order to agree with the other side. So if you can inspect the config of the other side, look at what their selector config looks like. If you can't inspect it, tear down the tunnel, enable ike debug, and check what selector offer the other side is sending during a new negotiation.

[ corrections always welcome ]

View solution in original post

2 REPLIES 2
pminarik
Staff
Staff

 I notice[...] for HUB-WAN05 the Proxy ID Destination field is set to 10.253.212.2-10.253.212.2 (this is the SPOKE IP of my BRANCH).

 

This is exactly why you get "No matching IPsec selector".

 

Note the final selectors of an active SA can be narrowed down during negotiations in order to agree with the other side. So if you can inspect the config of the other side, look at what their selector config looks like. If you can't inspect it, tear down the tunnel, enable ike debug, and check what selector offer the other side is sending during a new negotiation.

[ corrections always welcome ]
mateusguilherme

Thanks for your tip, there really was a wrong configuration on the SPOKE side

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors