I am having issues with my IPSEC VPN not working. What I have boiled it down to is, it looks like when I try to send a ping from my computer to the firewall (B) using the internal interface IP on the the other side of the VPN. The firewall (A) I am behind does not forward the packet to the wan interface. here is the flow trace filtered to the internal address of firewall (B). from the CLI of firewall (A)
The VPN appears to randomly stop working. Sometimes after a while it works.
id=20085 trace_id=25 func=print_pkt_detail line=5617 msg="vd-root:0 received a packet(proto=1, 10.0.0.83:1->10.2.0.254:2048) from internal. type=8, code=0, id=1, seq=18205."
id=20085 trace_id=25 func=init_ip_session_common line=5787 msg="allocate a new session-1d680973"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-10.2.0.254 via StG"
id=20085 trace_id=25 func=fw_forward_handler line=777 msg="Allowed by Policy-37:"
id=20085 trace_id=25 func=ipsec_output_finish line=617 msg="send to 18.104.22.168 via intf-wan1"
Here is the flow trace to the external address for firewall (B) from the CLI of firewall (A). You can see that a ping directly to the external IP of Firewall (B) from a device behind firewall (A) works, but no Packets from the VPN appear to be exiting the WAN.
id=20085 trace_id=21 func=print_pkt_detail line=5617 msg="vd-root:0 received a packet(proto=1, 10.0.0.83:1->firewall B) from internal. type=8, code=0, id=1, seq=18200."
id=20085 trace_id=21 func=init_ip_session_common line=5787 msg="allocate a new session-1d67e3b6"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2580 msg="Match policy routing id=2133131269: to 22.214.171.124 via ifindex-6"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-126.96.36.199 via wan2"
id=20085 trace_id=21 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=21 func=ids_receive line=289 msg="send to ips"
For the ICMP from 10.0.0.83 to 10.2.0.254 i can see that FW is matching FW policy rule No37 and traffic is forwarded to IPsec interface StG. To check if traffic is leaving your device, please runn a sniffer like this bellow :
# diagnose sniffer packet any "host 10.0.0.83 and host 10.2.0.254 " 4
Also check if 10.0.0.83 and 10.2.0.254 are part of local and remove encryption domains of both FW's , also check the routing and if that traffic is received on remote VPN peer.
To check phase-1/phase-2 of your FW you can run the following :
# diagnose vpn ike gateway list name NAME_OF_VPN # diagnose vpn tunnel list name NAME_OF_VPN
For the second debug flow ICMP traffic from 10.0.0.83 to firewall B , FW is matching policy routing No 2133131269, traffic is forwarded to wan2 and is allowed by SNAT policy , this i do not think is encrypted traffic .
vd: root/0 name: StG version: 1 interface: wan2 6 addr: Firewall A:4500 -> Firewall B:4500 created: 366113s ago IKE SA: created 1/5 established 1/5 time 140/4360/21220 ms IPsec SA: created 1/9 established 1/9 time 60/62/70 ms
id/spi: 104 0f197b81125e2a62/b6f6456e59f25f62 direction: initiator status: established 21691-21691s ago = 150ms proposal: aes128-sha256 key: 5b120b2c02ec6f4d-65d19be8902d3cfb lifetime/rekey: 86400/64408 DPD sent/recv: 0000063b/0000119c
When I ran this #diagnose sniffer packet any 'host Firewall B and port 4500' 4 0 l
I got little to no packets being sent or received.
I'll give the recommendations a shot and report back. The problem is that this won't become apparent until there's a hiccup in the internet, and even then it could be hours before the firewall begins protecting the network again.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.