IPsec Tunnels between datacenters: FR4 - MUC



IPsec tunnel config 
DC_EQX_MUC # show full-configuration vpn ipsec phase1-interface MU3-FR4_1
config vpn ipsec phase1-interface
    edit "MU3-FR4_1"
        set type static
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw 0.0.0.0
        set keylife 86400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set net-device disable
        set passive-mode disable
        set exchange-interface-ip disable
        set aggregate-member enable
        set aggregate-weight 10
        set mode-cfg disable
        set proposal aes256-sha256
        set localid ''
        set localid-type auto
        set auto-negotiate enable
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-demand
        set forticlient-enforcement disable
        set comments ''
        set npu-offload enable
        set dhgrp 31 30 29
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set rekey enable
        set network-overlay disable
        set remote-gw 88.84.138.2
        set monitor ''
        set tunnel-search selectors
        set add-gw-route disable
        set psksecret ENC e1f3+xq3V5wDfWOfD/BWQUMBwXD3fzbdWs5bAuiRErHGvvM3g99PBzV23WmBZEJ6d0/jBmWCMrobtIT6grikBxu3YOj8GGliYJDqvxszhLe6LdV/0Z4xEIWhZF2cPQvd5dHzcGsMo/9711uZ1z5gvKBNgZbJXBE1lplBPBMyRedKSRmwwGzuaoDHT+ReUI7XI8n09A==
        set keepalive 10
        set dpd-retrycount 3
        set dpd-retryinterval 10
    next
end
DC_EQX_MUC # show  full-configuration  vpn  ipsec  phase2-interface  MU3-FR4_1
config vpn ipsec phase2-interface
    edit "MU3-FR4_1"
        set phase1name "MU3-FR4_1"
        set proposal aes256-sha256
        set pfs enable
        set ipv4-df disable
        set dhgrp 31 30 29
        set replay enable
        set keepalive enable
        set auto-negotiate disable
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set initiator-ts-narrow disable
        set diffserv disable
        set protocol 0
        set src-addr-type subnet
        set src-port 0
        set dst-addr-type subnet
        set dst-port 0
        set keylifeseconds 3600
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end


DC_EQX_FFM_1 # show full-configuration vpn ipsec phase1-interface FR4-MU3_1
config vpn ipsec phase1-interface
    edit "FR4-MU3_1"
        set type static
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw 0.0.0.0
        set keylife 86400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set net-device disable
        set passive-mode disable
        set exchange-interface-ip disable
        set aggregate-member enable
        set aggregate-weight 10
        set mode-cfg disable
        set proposal aes256-sha256
        set localid ''
        set localid-type auto
        set auto-negotiate enable
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-demand
        set forticlient-enforcement disable
        set comments ''
        set npu-offload enable
        set dhgrp 31 30 29
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set rekey enable
        set network-overlay disable
        set remote-gw 89.202.64.10
        set monitor ''
        set tunnel-search selectors
        set add-gw-route disable
        set psksecret ENC UWQTsWypan2znHtID5kyjCZYYjOae69q3qIEZshHrRmO3l1Yqy8UhwVUt/3gkF7SnKDhuYXmKN6tuhU3bh+aJKX682cbq8iZXdx9gwgZt1U4Lf1ueknli8vSiainCXGlyaiUmgVPyTue4NtvZeCtpIZ1NpHwGM3gqDsrOTeP9OzJsN2f3xrjm9sq7ofogj7nqwBtrA==
        set keepalive 10
        set dpd-retrycount 3
        set dpd-retryinterval 10
    next
end

DC_EQX_FFM_1 # show full-configuration vpn ipsec phase2-interface FR4-MU3_1
config vpn ipsec phase2-interface
    edit "FR4-MU3_1"
        set phase1name "FR4-MU3_1"
        set proposal aes256-sha256
        set pfs enable
        set ipv4-df disable
        set dhgrp 31 30 29
        set replay enable
        set keepalive enable
        set auto-negotiate disable
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set initiator-ts-narrow disable
        set diffserv disable
        set protocol 0
        set src-addr-type subnet
        set src-port 0
        set dst-addr-type subnet
        set dst-port 0
        set keylifeseconds 3600
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end


IPsec debugging
DC_EQX_MUC # diagnose vpn tunnel list name MU3-FR4_2
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=MU3-FR4_2 ver=2 serial=1 89.202.64.14:0->88.84.138.6:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=/0
stat: rxp=1924626 txp=1657165 rxb=1541366680 txb=412337647
dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=MU3-FR4_2 proto=0 sa=1 ref=4 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10227 type=00 soft=0 mtu=1438 expire=1302/0B replaywin=1024
       seqno=82b esn=0 replaywin_lastseq=0000082b itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3328/3600
  dec: spi=06cdb02f esp=aes key=32 6155976512d9466554481e6d5a34c66eded59ab5233a66c442d90c4319053f6b
       ah=sha256 key=32 6d4c0107b42e70117cf39d2cf6d33efa9173443d9ea373578e5c06b087051965
  enc: spi=9c198c40 esp=aes key=32 f9faae1d52407ff1540070de7d5304a985233d82a6f6ee6f52361a514142259e
       ah=sha256 key=32 73a41c086d739aec97d9a8b0224d2bcdec5814d3dd35fda2d25d399df64e54a3
  dec:pkts/bytes=2090/538912, enc:pkts/bytes=2090/580056
  npu_flag=00 npu_rgwy=88.84.138.6 npu_lgwy=89.202.64.14 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0

DC_EQX_MUC # diagnose vpn tunnel list name MU3-FR4_1
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=MU3-FR4_1 ver=2 serial=5 89.202.64.10:0->88.84.138.2:0 dst_mtu=0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=0 accept_traffic=0 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=6 olast=6 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=MU3-FR4_1 proto=0 sa=0 ref=1 serial=5
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
run_tally=0

DC_EQX_FFM_1 # diagnose vpn tunnel list name FR4-MU3_2
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=FR4-MU3_2 ver=2 serial=4 88.84.138.6:0->89.202.64.14:0 dst_mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=/0
stat: rxp=1911094 txp=2200733 rxb=474668424 txb=1496379121
dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FR4-MU3_2 proto=0 sa=1 ref=3 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10227 type=00 soft=0 mtu=1438 expire=1251/0B replaywin=1024
       seqno=845 esn=0 replaywin_lastseq=00000844 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3302/3600
  dec: spi=9c198c40 esp=aes key=32 f9faae1d52407ff1540070de7d5304a985233d82a6f6ee6f52361a514142259e
       ah=sha256 key=32 73a41c086d739aec97d9a8b0224d2bcdec5814d3dd35fda2d25d399df64e54a3
  enc: spi=06cdb02f esp=aes key=32 6155976512d9466554481e6d5a34c66eded59ab5233a66c442d90c4319053f6b
       ah=sha256 key=32 6d4c0107b42e70117cf39d2cf6d33efa9173443d9ea373578e5c06b087051965
  dec:pkts/bytes=2097/278408, enc:pkts/bytes=2116/704400
  npu_flag=00 npu_rgwy=89.202.64.14 npu_lgwy=88.84.138.6 npu_selid=6 dec_npuid=0 enc_npuid=0
run_tally=0

DC_EQX_FFM_1 # diagnose vpn tunnel list name FR4-MU3_1
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=FR4-MU3_1 ver=2 serial=9 88.84.138.2:0->89.202.64.10:0 dst_mtu=0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=0 accept_traffic=0 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=23 olast=23 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FR4-MU3_1 proto=0 sa=0 ref=1 serial=5
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
run_tally=0


DC_EQX_MUC # diagnose debug application ike -1
DC_EQX_MUC # diagnose debug enable
DC_EQX_MUC # diagnose vpn ike filter dst-addr4  88.84.138.2
ike 0:MU3-FR4_1: schedule auto-negotiate
ike 0:MU3-FR4_1: auto-negotiate connection
ike 0:MU3-FR4_1: created connection: 0x565d240 7 89.202.64.10->88.84.138.2:500.
ike 0:MU3-FR4_1:MU3-FR4_1: chosen to populate IKE_SA traffic-selectors
ike 0:MU3-FR4_1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:MU3-FR4_1:49541: out 20E0C1A26060C47B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F00002F38A0E88D2872249FAAD55D6C46E2B8BEA74F90FD1B777B49CED24F2A1E8E0529000024977A3360A959BCEB9930AF1FBAD8A719BB49DEEE573F60407E18011A97F17CC82900001C0000400460B18F90774AC9570621378F682813704470CCF82900001C00004005A6EE8806E32C7DC9F5B96D8E716B2BF858A17E6D000000080000402E
ike 0:MU3-FR4_1:49541: sent IKE msg (SA_INIT): 89.202.64.10:500->88.84.138.2:500, len=232, id=20e0c1a26060c47b/0000000000000000
ike 0:MU3-FR4_1:49541: out 20E0C1A26060C47B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F00002F38A0E88D2872249FAAD55D6C46E2B8BEA74F90FD1B777B49CED24F2A1E8E0529000024977A3360A959BCEB9930AF1FBAD8A719BB49DEEE573F60407E18011A97F17CC82900001C0000400460B18F90774AC9570621378F682813704470CCF82900001C00004005A6EE8806E32C7DC9F5B96D8E716B2BF858A17E6D000000080000402E
ike 0:MU3-FR4_1:49541: sent IKE msg (RETRANSMIT_SA_INIT): 89.202.64.10:500->88.84.138.2:500, len=232, id=20e0c1a26060c47b/0000000000000000
ike 0:MU3-FR4_1:49541: out 20E0C1A26060C47B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F00002F38A0E88D2872249FAAD55D6C46E2B8BEA74F90FD1B777B49CED24F2A1E8E0529000024977A3360A959BCEB9930AF1FBAD8A719BB49DEEE573F60407E18011A97F17CC82900001C0000400460B18F90774AC9570621378F682813704470CCF82900001C00004005A6EE8806E32C7DC9F5B96D8E716B2BF858A17E6D000000080000402E
ike 0:MU3-FR4_1:49541: sent IKE msg (RETRANSMIT_SA_INIT): 89.202.64.10:500->88.84.138.2:500, len=232, id=20e0c1a26060c47b/0000000000000000
ike 0:MU3-FR4_1:49541: out 20E0C1A26060C47B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F00002F38A0E88D2872249FAAD55D6C46E2B8BEA74F90FD1B777B49CED24F2A1E8E0529000024977A3360A959BCEB9930AF1FBAD8A719BB49DEEE573F60407E18011A97F17CC82900001C0000400460B18F90774AC9570621378F682813704470CCF82900001C00004005A6EE8806E32C7DC9F5B96D8E716B2BF858A17E6D000000080000402E
ike 0:MU3-FR4_1:49541: sent IKE msg (RETRANSMIT_SA_INIT): 89.202.64.10:500->88.84.138.2:500, len=232, id=20e0c1a26060c47b/0000000000000000
ike 0: comes 212.114.240.14:500->89.202.64.14:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=cb85a79f368b4b81/1922a6f304dbd33a:00000622 len=80
ike 0: in CB85A79F368B4B811922A6F304DBD33A2E2025000000062200000050000000343167BA39CF3E6C7502EC425EAD2637C96F19B485932F0A4E3B571131E90EA59FBAD24DD1019DE2DF1F841367E97E290D
ike 0:MU3-HQ_3:47893: dec CB85A79F368B4B811922A6F304DBD33A2E202500000006220000002000000004
ike 0:MU3-HQ_3:47893: received informational request
ike 0:MU3-HQ_3:47893: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:MU3-HQ_3:47893: out CB85A79F368B4B811922A6F304DBD33A2E202528000006220000005000000034BB6795E24BFAD1F1141FD78C11B66FEBC2F0538989B94D0A02541521F2A9E902EFFD29475DF130E389A93FCB40DF7D30
ike 0:MU3-HQ_3:47893: sent IKE msg (INFORMATIONAL_RESPONSE): 89.202.64.14:500->212.114.240.14:500, len=80, id=cb85a79f368b4b81/1922a6f304dbd33a:00000622
ike 0:MU3-FR4_1:49541: negotiation timeout, deleting
ike 0:MU3-FR4_1: connection expiring due to phase1 down
ike 0:MU3-FR4_1: deleting
ike 0:MU3-FR4_1: deleted




DC_EQX_FFM_1 # diagnose debug application ike -1
DC_EQX_FFM_1 # diagnose vpn ike filter dst-addr4 89.202.64.10
DC_EQX_FFM_1 # diagnose debug enable
ike 0:FR4-MU3_1:76657: negotiation timeout, deleting
ike 0:FR4-MU3_1: connection expiring due to phase1 down
ike 0:FR4-MU3_1: deleting
ike 0:FR4-MU3_1: deleted
ike 0:FR4-MU3_1: schedule auto-negotiate
ike 0:FR4-HQ_1: HA IPsec send ESP seqno 66890
ike 0:FR4-MU3_1: auto-negotiate connection
ike 0:FR4-MU3_1: created connection: 0x56717c0 7 88.84.138.2->89.202.64.10:500.
ike 0:FR4-MU3_1:FR4-MU3_1: chosen to populate IKE_SA traffic-selectors
ike 0:FR4-MU3_1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:FR4-MU3_1:76659: out 8BA31B4805CEE41B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F0000EF3BF269C05397A09EE70EFD9BCF2DE295C0CCB421F8202C1EB9CCA0A6965C192900002482AE07951123FA6F9905BDF6DE468210E8FEA30C20747D86EF8E68B6DD5192392900001C0000400482B233A4189482848E7334F3442B20CD7DA9C6612900001C00004005E1D66D2A028D0381A4FB3891FD62DBD20C884DE6000000080000402E
ike 0:FR4-MU3_1:76659: sent IKE msg (SA_INIT): 88.84.138.2:500->89.202.64.10:500, len=232, id=8ba31b4805cee41b/0000000000000000
ike shrank heap by 159744 bytes
ike 0:FR4-MU3_1:76659: out 8BA31B4805CEE41B00000000000000002120220800000000000000E8220000400000003C010100060300000C0100000C800E01000300000802000005030000080300000C030000080400001D030000080400001E000000080400001F28000028001F0000EF3BF269C05397A09EE70EFD9BCF2DE295C0CCB421F8202C1EB9CCA0A6965C192900002482AE07951123FA6F9905BDF6DE468210E8FEA30C20747D86EF8E68B6DD5192392900001C0000400482B233A4189482848E7334F3442B20CD7DA9C6612900001C00004005E1D66D2A028D0381A4FB3891FD62DBD20C884DE6000000080000402E
ike 0:FR4-MU3_1:76659: sent IKE msg (RETRANSMIT_SA_INIT): 88.84.138.2:500->89.202.64.10:500, len=232, id=8ba31b4805cee41b/0000000000000000