L2TP over IPsec

Umesh · ‎02-11-2024

Dear All.

I have following quires which are as follows:

1. Does L2TP over IPsec VPN work without License.

2. Without licensing I was configuring L2TP over IPsec communication was not happing between initiator (Windows machine) and responder (Fortigate Firewall) even not able to connect responder.

3. After applying license VPN was able to connect but communication was not happing from initiator to responder.

I had followed below URL in order to configure - https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/386346/l2tp-over-ipsec

Can anyone tell me what can be issue even after connecting vpn, communication was not happing.

thank you.

hbac · ‎02-12-2024

Hi @Umesh,

You are able to connect but not able to access the internal network? You can collect debug flow to see if the traffic is being dropped. h ttps://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectiv...

Regards,

Umesh · ‎02-13-2024

Dear HBAC,

Please have a look diagram.

Reachability -

1. User which is setting outside is able to reach Fortigate's WAN interface Port1 200.1.1.2.

2. Able to connect VPN and getting IP address(101.1.1.2) from the range 101.1.1.1-101.1.1.1.

3. When I try to ping from outside to LAN PC1 or PC2, there is no connectivity. getting destination host unreachable from 100.1.1.1 which is the R1 router. you may assume it ISP.

4. I can see that tunnel is up and L2TP policy getting traffic. one more policy is there which is created by IPsec wizard. that policy is not getting any request. source and destination is all.

the question where problem is.

I

rosatechnocrat · ‎02-13-2024

Can you provide the debug flow from fortigate.

diag debug reset

diag debug flow filter addr 10.1.1.10

diag debug console timestamp enable

diag debug flow show iprope enable

diagnose debug flow show function-name enable

diag debug flow trace start 1000

diag debug enable

Try to ping and then disable the debug

diag debug disable

Rosa Technocrat -- Also on YouTube---Please do Subscribe

hbac · ‎02-14-2024

@Umesh,

First, you need to check the routing table of the outside PC and make sure it has a route to PC1 and PC2 via the tunnel by running "route print".

It the routes are there, you can run debug flow on the FortiGate and try to ping PC1 and PC2 to see if traffic is being dropped.

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.1.1.1
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

Regards,

rosatechnocrat · ‎02-13-2024

No, This does not require a separate license on Fortigate.

Have you configured proper firewall policies from Ipsec interface to destination interface.

Rosa Technocrat -- Also on YouTube---Please do Subscribe

Umesh · ‎02-14-2024

Hello,

In order to troubleshoot Phase 1 and Phase 2. can you provide commands.

Thank you.

hbac · ‎02-15-2024

@Umesh,

If the tunnel is not coming up, you can run ike debugs https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

If the tunnel is up but traffic is not passing, you need to run debug flow:

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.1.1.1
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

Regards,

Umesh · ‎02-16-2024

Hello,

Please find the following output.

1. routing table of Firewall

2. Ping status

3. VPN tunnel status

4. debug sniffer command output

5. Policy

VPN is able to connect but unable to ping internal PC.

FGT_NEXT_Firewall # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 200.1.1.1, port1
C 10.1.1.0/24 is directly connected, vlan10
C 50.1.1.1/32 is directly connected, ppp0
C 50.1.1.2/32 is directly connected, ppp0
S 192.168.100.10/32 [15/0] via 192.168.100.10, Remote_VPN
C 192.168.145.0/24 is directly connected, port10
C 200.1.1.0/24 is directly connected, port1

FGT_NEXT_Firewall # get vpn ipsec tunnel summary
'Remote_VPN_0' 192.168.100.10:0 selectors(total,up): 1/1 rx(pkt,err): 97/0 tx(pkt,err): 54/0

FGT_NEXT_Firewall # diagnose vpn ike gateway list

vd: root/0
name: Remote_VPN_0
version: 1
interface: port1 3
addr: 200.1.1.2:500 -> 192.168.100.10:500
created: 184s ago
IKE SA: created 1/1 established 1/1 time 90/90/90 ms
IPsec SA: created 1/1 established 1/1 time 110/110/110 ms

id/spi: 1 518510beb561517a/db330cee1f553f5a
direction: responder
status: established 184-184s ago = 90ms
proposal: 3des-sha1
key: 79460bf0ef63d8c9-6bee839d03f3205a-20b7c827ea2b405c
lifetime/rekey: 28800/28345
DPD sent/recv: 00000000/00000000

FGT_NEXT_Firewall # diagnose vpn ike gateway list Remote_VPN_0

command parse error before 'Remote_VPN_0'
Command fail. Return code -61

FGT_NEXT_Firewall # diagnose vpn ike gateway list name Remote_VPN_0

vd: root/0
name: Remote_VPN_0
version: 1
interface: port1 3
addr: 200.1.1.2:500 -> 192.168.100.10:500
created: 200s ago
IKE SA: created 1/1 established 1/1 time 90/90/90 ms
IPsec SA: created 1/1 established 1/1 time 110/110/110 ms

id/spi: 1 518510beb561517a/db330cee1f553f5a
direction: responder
status: established 200-200s ago = 90ms
proposal: 3des-sha1
key: 79460bf0ef63d8c9-6bee839d03f3205a-20b7c827ea2b405c
lifetime/rekey: 28800/28329
DPD sent/recv: 00000000/00000000

FGT_NEXT_Firewall # execute traceroute-options source 200.1.1.2

FGT_NEXT_Firewall # execute traceroute 50.1.1.2
traceroute to 50.1.1.2 (50.1.1.2), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * * *^C
2 *
FGT_NEXT_Firewall # execute traceroute-options source 200.1.1.2

FGT_NEXT_Firewall # execute traceroute 192.168.100.10
traceroute to 192.168.100.10 (192.168.100.10), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * *^C *

FGT_NEXT_Firewall # diagnose sniffer packet any 'host 192.168.100.10 and port 500' 4 0 1
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.100.10 and port 500]
2.945978 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 76
2.946301 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 84
5.051118 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 408
5.051754 port1 out 200.1.1.2.500 -> 192.168.100.10.500: udp 188
5.073751 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 260
5.074210 port1 out 200.1.1.2.500 -> 192.168.100.10.500: udp 228
5.094811 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 68
5.097460 port1 out 200.1.1.2.500 -> 192.168.100.10.500: udp 68
5.115044 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 468
5.119847 port1 out 200.1.1.2.500 -> 192.168.100.10.500: udp 164
5.156554 port1 in 192.168.100.10.500 -> 200.1.1.2.500: udp 60
^C
11 packets received by filter
0 packets dropped by kernel

FGT_NEXT_Firewall # diagnose vpn ike log-filter dst-addr4 192.168.100.10

FGT_NEXT_Firewall # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FGT_NEXT_Firewall # diagnose debug console timestamp enable

FGT_NEXT_Firewall # diagnose debug enable

FGT_NEXT_Firewall # 2024-02-16 09:19:04.252119 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:04.263764 ike 0: IKEv1 exchange=Informational id=7763f9ec609866c7/e64aa0d0444b7621:5dce1779 len=76
2024-02-16 09:19:04.293064 ike 0: in 7763F9EC609866C7E64AA0D0444B7621081005015DCE17790000004C7440F474A2A656CC9C0D838C3969243BA8971AB430E2FD3C91769D6294349B6CB977C386917BFA83D4581925A8294869
2024-02-16 09:19:04.325109 ike 0:Remote_VPN_0:2: dec 7763F9EC609866C7E64AA0D0444B7621081005015DCE17790000004C0C000018725B2BD5CFD71EE63EE2A3CFFBE7EBFEE227E12A0000001000000001030400014E981FC20000000000000000
2024-02-16 09:19:04.352436 ike 0:Remote_VPN_0:2: recv IPsec SA delete, spi count 1
2024-02-16 09:19:04.362979 ike 0:Remote_VPN_0: deleting IPsec SA with SPI 4e981fc2
2024-02-16 09:19:04.375446 ike 0:Remote_VPN_0:Remote_VPN: deleted IPsec SA with SPI 4e981fc2, SA count: 0
2024-02-16 09:19:04.397652 ike 0:Remote_VPN:2: del route 192.168.100.10/255.255.255.255 oif Remote_VPN(22) metric 15 priority 0
2024-02-16 09:19:04.418884 ike 0:Remote_VPN_0: sending SNMP tunnel DOWN trap for Remote_VPN
2024-02-16 09:19:04.441488 ike 0:Remote_VPN_0:Remote_VPN: delete
2024-02-16 09:19:04.450597 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:04.464677 ike 0: IKEv1 exchange=Informational id=7763f9ec609866c7/e64aa0d0444b7621:08e1007e len=84
2024-02-16 09:19:04.484343 ike 0: in 7763F9EC609866C7E64AA0D0444B76210810050108E1007E000000547F491E326B28EFDB062815C1F4C06202B450CD432D5FC877B3F8456A35DC990B170AEF47C59F58A1B3ECE9F45A98BB05E3D8916DACFCC372
2024-02-16 09:19:04.508949 ike 0:Remote_VPN_0:2: dec 7763F9EC609866C7E64AA0D0444B76210810050108E1007E000000540C000018D960C2C01F5B93927953C10D62CA7AE4A8179EA70000001C00000001011000017763F9EC609866C7E64AA0D0444B762100000000
2024-02-16 09:19:04.542539 ike 0:Remote_VPN_0:2: recv ISAKMP SA delete 7763f9ec609866c7/e64aa0d0444b7621
2024-02-16 09:19:04.581268 ike 0:Remote_VPN_0: deleting
2024-02-16 09:19:04.594148 ike 0:Remote_VPN_0: flushing
2024-02-16 09:19:04.603790 ike 0:Remote_VPN_0: flushed
2024-02-16 09:19:04.613669 ike 0:Remote_VPN_0: delete dynamic
2024-02-16 09:19:04.640876 ike 0:Remote_VPN_0: deleted
2024-02-16 09:19:05.609839 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:05.637788 ike 0: IKEv1 exchange=Identity Protection id=6816b0e0616da50d/0000000000000000 len=408
2024-02-16 09:19:05.658506 ike 0: in 6816B0E0616DA50D00000000000000000110020000000000000001980D0000D40000000100000001000000C801010005030000280101000080010007800E0100800200028004001480030001800B0001000C000400007080030000280201000080010007800E0080800200028004001380030001800B0001000C000400007080030000280301000080010007800E0100800200028004000E80030001800B0001000C000400007080030000240401000080010005800200028004000E80030001800B0001000C000400007080000000240501000080010005800200028004000280030001800B0001000C0004000070800D00001801528BBBC00696121849AB9A1C5B2A51000000010D0000181E2B516905991C7D7C96FCBFB587E461000000090D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F1200D00001426244D38EDDB61B3172A36E3D0CFB81900000014E3A5966A76379FE707228231E5CE8652
2024-02-16 09:19:05.780949 ike 0:6816b0e0616da50d/0000000000000000:3: responder: main mode get 1st message...
2024-02-16 09:19:05.797355 ike 0:6816b0e0616da50d/0000000000000000:3: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000001
2024-02-16 09:19:05.816885 ike 0:6816b0e0616da50d/0000000000000000:3: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009
2024-02-16 09:19:05.834887 ike 0:6816b0e0616da50d/0000000000000000:3: VID RFC 3947 4A131C81070358455C5728F20E95452F
2024-02-16 09:19:05.872150 ike 0:6816b0e0616da50d/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2024-02-16 09:19:05.897758 ike 0:6816b0e0616da50d/0000000000000000:3: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
2024-02-16 09:19:05.934095 ike 0:6816b0e0616da50d/0000000000000000:3: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120
2024-02-16 09:19:05.955300 ike 0:6816b0e0616da50d/0000000000000000:3: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819
2024-02-16 09:19:05.985624 ike 0:6816b0e0616da50d/0000000000000000:3: VID unknown (16): E3A5966A76379FE707228231E5CE8652
2024-02-16 09:19:06.001137 ike 0:6816b0e0616da50d/0000000000000000:3: negotiation result
2024-02-16 09:19:06.046459 ike 0:6816b0e0616da50d/0000000000000000:3: proposal id = 1:
2024-02-16 09:19:06.057675 ike 0:6816b0e0616da50d/0000000000000000:3: protocol id = ISAKMP:
2024-02-16 09:19:06.074271 ike 0:6816b0e0616da50d/0000000000000000:3: trans_id = KEY_IKE.
2024-02-16 09:19:06.092407 ike 0:6816b0e0616da50d/0000000000000000:3: encapsulation = IKE/none
2024-02-16 09:19:06.107681 ike 0:6816b0e0616da50d/0000000000000000:3: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2024-02-16 09:19:06.132377 ike 0:6816b0e0616da50d/0000000000000000:3: type=OAKLEY_HASH_ALG, val=SHA.
2024-02-16 09:19:06.150145 ike 0:6816b0e0616da50d/0000000000000000:3: type=AUTH_METHOD, val=PRESHARED_KEY.
2024-02-16 09:19:06.166302 ike 0:6816b0e0616da50d/0000000000000000:3: type=OAKLEY_GROUP, val=MODP1024.
2024-02-16 09:19:06.185571 ike 0:6816b0e0616da50d/0000000000000000:3: ISAKMP SA lifetime=86400
2024-02-16 09:19:06.196547 ike 0:6816b0e0616da50d/0000000000000000:3: SA proposal chosen, matched gateway Remote_VPN
2024-02-16 09:19:06.222012 ike 0:Remote_VPN: created connection: 0xcf0bcb0 3 200.1.1.2->192.168.100.10:500.
2024-02-16 09:19:06.232596 ike 0:Remote_VPN:3: selected NAT-T version: RFC 3947
2024-02-16 09:19:06.242024 ike 0:Remote_VPN:3: cookie 6816b0e0616da50d/10f6a6579c1487be
2024-02-16 09:19:06.266586 ike 0:Remote_VPN:3: out 6816B0E0616DA50D10F6A6579C1487BE0110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
2024-02-16 09:19:06.330413 ike 0:Remote_VPN:3: sent IKE msg (ident_r1send): 200.1.1.2:500->192.168.100.10:500, len=188, id=6816b0e0616da50d/10f6a6579c1487be
2024-02-16 09:19:06.375305 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:06.385212 ike 0: IKEv1 exchange=Identity Protection id=6816b0e0616da50d/10f6a6579c1487be len=260
2024-02-16 09:19:06.399687 ike 0: in 6816B0E0616DA50D10F6A6579C1487BE0410020000000000000001040A00008423DB39352192034B6CB5BFDEBE3AC42D5CBB8E4B89488A2E14770A90ABC4A9952A514FD56821B284A6415809C710F01714F7F0F70D6D07695E2B226537822F9509F6DE9570E2255950735D7E1DAAAEB5087870F3F193DFCFB956DA1F7040B6AE63E0E2DC486284D4FE01C39FD06E034A1085EEDA5787111080EC23B5AD749E461400003464A538A59B04A28FDEA4D8AE15BC26A36C3AB318CE232116E1F917BBAEF7829E5576C8C1297C97A86BB3EE30DC49D477140000184D66DEF3FA5D7344902DA3EACAC483E55506A67A0000001833D3F47BB00E7FBDC920A7C0E3A234B014148CE1
2024-02-16 09:19:06.477019 ike 0:Remote_VPN:3: responder:main mode get 2nd message...
2024-02-16 09:19:06.495917 ike 0:Remote_VPN:3: received NAT-D payload type 20
2024-02-16 09:19:06.506803 ike 0:Remote_VPN:3: received NAT-D payload type 20
2024-02-16 09:19:06.521950 ike 0:Remote_VPN:3: NAT not detected
2024-02-16 09:19:06.532996 ike 0:Remote_VPN:3: out 6816B0E0616DA50D10F6A6579C1487BE0410020000000000000000E40A000084A9E31390D703DCE4010F848DEE638060CFF8F79348B6365F2239ED2E455A3435729D3714E628117ADFD740CE15159CF1B8A0ADC23EB46AF44AA4B5E2516B2F01F9B7F4F41BAD6476499402EACC9D68E9B8F0FA26B21D9F49BE31E6A189DAFBCCC7B91076F3E359E484E5596C57F1EBF271A4335897268EF32E898039AA30364D140000142AAA7865E6AEACE76DE1863E22425DED1400001833D3F47BB00E7FBDC920A7C0E3A234B014148CE1000000184D66DEF3FA5D7344902DA3EACAC483E55506A67A
2024-02-16 09:19:06.608017 ike 0:Remote_VPN:3: sent IKE msg (ident_r2send): 200.1.1.2:500->192.168.100.10:500, len=228, id=6816b0e0616da50d/10f6a6579c1487be
2024-02-16 09:19:06.634531 ike 0:Remote_VPN:3: ISAKMP SA 6816b0e0616da50d/10f6a6579c1487be key 24:875D2997037AA7F10EA4EA5106F3B37A690262B7B21609FA
2024-02-16 09:19:06.651864 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:06.663834 ike 0: IKEv1 exchange=Identity Protection id=6816b0e0616da50d/10f6a6579c1487be len=68
2024-02-16 09:19:06.679596 ike 0: in 6816B0E0616DA50D10F6A6579C1487BE051002010000000000000044146905023085D37F1E5C748649ECD0D0E187A7B241C6B3EE6FD43112F6FA99922C869FE9AAE19434
2024-02-16 09:19:06.707970 ike 0:Remote_VPN:3: responder: main mode get 3rd message...
2024-02-16 09:19:06.720723 ike 0:Remote_VPN:3: dec 6816B0E0616DA50D10F6A6579C1487BE0510020100000000000000440800000C01000000C0A8640A00000018414544F3A409D0F53A18C48B30583C2BE82E91FC00000000
2024-02-16 09:19:06.751114 ike 0:Remote_VPN:3: peer identifier IPV4_ADDR 192.168.100.10
2024-02-16 09:19:06.766640 ike 0:Remote_VPN:3: PSK authentication succeeded
2024-02-16 09:19:06.774871 ike 0:Remote_VPN:3: authentication OK
2024-02-16 09:19:06.782935 ike 0:Remote_VPN:3: enc 6816B0E0616DA50D10F6A6579C1487BE0510020100000000000000400800000C01000000C8010102000000181C344135971990E3144C89490830E261BA47172E
2024-02-16 09:19:06.814842 ike 0:Remote_VPN:3: out 6816B0E0616DA50D10F6A6579C1487BE051002010000000000000044610D736C1066C0D7861FB7AD60F6A6A200A104FE7DABD3160692CCE75C4DB304DAFE6655E4C0B90F
2024-02-16 09:19:06.842354 ike 0:Remote_VPN:3: sent IKE msg (ident_r3send): 200.1.1.2:500->192.168.100.10:500, len=68, id=6816b0e0616da50d/10f6a6579c1487be
2024-02-16 09:19:06.862344 ike 0:Remote_VPN: adding new dynamic tunnel for 192.168.100.10:500
2024-02-16 09:19:06.887926 ike 0:Remote_VPN_0: added new dynamic tunnel for 192.168.100.10:500
2024-02-16 09:19:06.913628 ike 0:Remote_VPN_0:3: established IKE SA 6816b0e0616da50d/10f6a6579c1487be
2024-02-16 09:19:06.931264 ike 0:Remote_VPN_0: DPD disabled, not negotiated
2024-02-16 09:19:06.942943 ike 0:Remote_VPN_0:3: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0
2024-02-16 09:19:06.956714 ike 0:Remote_VPN_0:3: no pending Quick-Mode negotiations
2024-02-16 09:19:06.976725 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:06.997800 ike 0: IKEv1 exchange=Quick id=6816b0e0616da50d/10f6a6579c1487be:00000001 len=468
2024-02-16 09:19:07.016564 ike 0: in 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000001D47987475028A2404071C1677385DEE523AF889A425F45BE076230BAA3CCF660FB862F18155362D1E7E87AF8847E3EA706EE37B0C8F30FF004FBE2E0997CE77293D625BFAABA00363E3804C5AC5C220E709A61EA94B2E934A585D66B964F7BFD277939F4A34269C5A52EE4D50805CDCAE30D92ED7E8D4A9261E4B6F00E3D87142A65ABC8A9633169CB4797FA22B4F93519226CAE859E70083D40C3BD00CAEEB529D28AB5C67C5C714BF0B9C6FFD85B97AF12BB151408E8A5A70F0200C4B88B041FB327CC4473CBE6B132B459E29197E892F03A8D625B617E161CC629243437CA86DB12C94F93DDD1299D89EB29E4333C3F9E90C8C1EA5902CC4F2FC64CF9323A2C61ED96B888949C4F6889CC68F473C1180F47A4189E194C8D1A012B0947DA6E96DA634CA98015FC25B10D1A1641C73E7651E147558CC1C8CB964CE31614998639FB8995EC0F4BCD3CC36EC556CBBE372256D13290F475F4247CE29445773EE228B1C1C4E2CC04B38CF25B392B214D41D72FEF638ECCAD9EADC49C96FAFC1998BDD36A5B820086355DE9C960E929017CD7EC48D06F34E5634794CDBA6ABB01A4754DB9B9BCA0EDF2C2C713FFD82200B6015A6DCD411FAEC892
2024-02-16 09:19:07.205179 ike 0:Remote_VPN_0:3:3: responder received first quick-mode message
2024-02-16 09:19:07.217813 ike 0:Remote_VPN_0:3: dec 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000001D401000018072DEB31C9705F9F11DFFEAF28F981360555A56F0A00014C00000001000000010200003801030401B1083AE80000002C010C0000800400028006010080050002800100010002000400000E1080010002000200040003D0900200003802030401B1083AE80000002C010C0000800400028006008080050002800100010002000400000E1080010002000200040003D0900200003403030401B1083AE800000028010300008004000280050002800100010002000400000E1080010002000200040003D0900200003404030401B1083AE800000028010200008004000280050002800100010002000400000E1080010002000200040003D0900200003405030401B1083AE800000028010B00008004000280050002800100010002000400000E1080010002000200040003D0900000003406020401B1083AE800000028010300008004000280050002800100010002000400000E1080010002000200040003D09005000034AB67D4DAE81423038E7D4BC0529D26E41067AC7E21D3C02FE9F3CB0263E04601CE659C774B81B07DEC1440E3A147CD4D0500000C011106A5C0A8640A0000000C011106A5C80101020000000000000000
2024-02-16 09:19:07.347110 ike 0:Remote_VPN_0:3:3: peer proposal is: peer:17:192.168.100.10-192.168.100.10:1701, me:17:200.1.1.2-200.1.1.2:1701
2024-02-16 09:19:07.361699 ike 0:Remote_VPN_0:3:Remote_VPN:3: trying
2024-02-16 09:19:07.374793 ike 0:Remote_VPN_0:3:3: transport mode, override with 17:200.1.1.2-200.1.1.2:1701 -> 17:192.168.100.10-192.168.100.10:0
2024-02-16 09:19:07.392891 ike 0:Remote_VPN_0:3:Remote_VPN:3: matched phase2
2024-02-16 09:19:07.404673 ike 0:Remote_VPN_0:3:Remote_VPN:3: dynamic client
2024-02-16 09:19:07.417350 ike 0:Remote_VPN_0:3:Remote_VPN:3: my proposal:
2024-02-16 09:19:07.427371 ike 0:Remote_VPN_0:3:Remote_VPN:3: proposal id = 1:
2024-02-16 09:19:07.437072 ike 0:Remote_VPN_0:3:Remote_VPN:3: protocol id = IPSEC_ESP:
2024-02-16 09:19:07.451969 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_AES_CBC (key_len = 256)
2024-02-16 09:19:07.463704 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.477025 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=MD5
2024-02-16 09:19:07.491506 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_3DES
2024-02-16 09:19:07.503887 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.516357 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.527033 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_AES_CBC (key_len = 192)
2024-02-16 09:19:07.537309 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.549806 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.558655 ike 0:Remote_VPN_0:3:Remote_VPN:3: incoming proposal:
2024-02-16 09:19:07.571535 ike 0:Remote_VPN_0:3:Remote_VPN:3: proposal id = 1:
2024-02-16 09:19:07.587509 ike 0:Remote_VPN_0:3:Remote_VPN:3: protocol id = IPSEC_ESP:
2024-02-16 09:19:07.600390 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_AES_CBC (key_len = 256)
2024-02-16 09:19:07.617287 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.641324 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.654358 ike 0:Remote_VPN_0:3:Remote_VPN:3: incoming proposal:
2024-02-16 09:19:07.662427 ike 0:Remote_VPN_0:3:Remote_VPN:3: proposal id = 2:
2024-02-16 09:19:07.672823 ike 0:Remote_VPN_0:3:Remote_VPN:3: protocol id = IPSEC_ESP:
2024-02-16 09:19:07.683746 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_AES_CBC (key_len = 128)
2024-02-16 09:19:07.699019 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.721214 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.733789 ike 0:Remote_VPN_0:3:Remote_VPN:3: incoming proposal:
2024-02-16 09:19:07.741714 ike 0:Remote_VPN_0:3:Remote_VPN:3: proposal id = 3:
2024-02-16 09:19:07.751795 ike 0:Remote_VPN_0:3:Remote_VPN:3: protocol id = IPSEC_ESP:
2024-02-16 09:19:07.760639 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_3DES
2024-02-16 09:19:07.789240 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.805949 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.818765 ike 0:Remote_VPN_0:3:Remote_VPN:3: negotiation result
2024-02-16 09:19:07.830951 ike 0:Remote_VPN_0:3:Remote_VPN:3: proposal id = 3:
2024-02-16 09:19:07.839985 ike 0:Remote_VPN_0:3:Remote_VPN:3: protocol id = IPSEC_ESP:
2024-02-16 09:19:07.853535 ike 0:Remote_VPN_0:3:Remote_VPN:3: trans_id = ESP_3DES
2024-02-16 09:19:07.862696 ike 0:Remote_VPN_0:3:Remote_VPN:3: encapsulation = ENCAPSULATION_MODE_TRANSPORT
2024-02-16 09:19:07.874981 ike 0:Remote_VPN_0:3:Remote_VPN:3: type = AUTH_ALG, val=SHA1
2024-02-16 09:19:07.885039 ike 0:Remote_VPN_0:3:Remote_VPN:3: using transport mode.
2024-02-16 09:19:07.896075 ike 0:Remote_VPN_0:3:Remote_VPN:3: replay protection enabled
2024-02-16 09:19:07.906637 ike 0:Remote_VPN_0:3:Remote_VPN:3: SA life soft seconds=3590.
2024-02-16 09:19:07.918708 ike 0:Remote_VPN_0:3:Remote_VPN:3: SA life hard seconds=3600.
2024-02-16 09:19:07.932591 ike 0:Remote_VPN_0:3:Remote_VPN:3: IPsec SA selectors #src=1 #dst=1
2024-02-16 09:19:07.941319 ike 0:Remote_VPN_0:3:Remote_VPN:3: src 0 7 17:200.1.1.2-200.1.1.2:1701
2024-02-16 09:19:07.954987 ike 0:Remote_VPN_0:3:Remote_VPN:3: dst 0 7 17:192.168.100.10-192.168.100.10:0
2024-02-16 09:19:07.966875 ike 0:Remote_VPN_0:3:Remote_VPN:3: add dynamic IPsec SA selectors
2024-02-16 09:19:07.975446 ike 0:Remote_VPN_0:3:Remote_VPN:3: added dynamic IPsec SA proxyids, new serial 1
2024-02-16 09:19:07.990178 ike 0:Remote_VPN:3: add route 192.168.100.10/255.255.255.255 gw 192.168.100.10 oif Remote_VPN(22) metric 15 priority 0
2024-02-16 09:19:08.007905 ike 0:Remote_VPN_0:3:Remote_VPN:3: tunnel 1 of VDOM limit 0/0
2024-02-16 09:19:08.025077 ike 0:Remote_VPN_0:3:Remote_VPN:3: add IPsec SA: SPIs=410fce9b/b1083ae8
2024-02-16 09:19:08.037245 ike 0:Remote_VPN_0:3:Remote_VPN:3: IPsec SA dec spi 410fce9b key 24:5CDE951504B11144BA288E4382BB58C3497BB957907A84ED auth 20:161C45918595F9F0CDA45683DE92176B81AC826C
2024-02-16 09:19:08.075642 ike 0:Remote_VPN_0:3:Remote_VPN:3: IPsec SA enc spi b1083ae8 key 24:FA74BB7F7848EDE04F1C2F46C1A86E09E0497403629271B6 auth 20:B8AA6BDCB9A338877129268859F3625CCEFB825A
2024-02-16 09:19:08.099106 ike 0:Remote_VPN_0:3:Remote_VPN:3: transport mode encapsulation is enabled
2024-02-16 09:19:08.110666 ike 0:Remote_VPN_0:3:Remote_VPN:3: added IPsec SA: SPIs=410fce9b/b1083ae8
2024-02-16 09:19:08.124565 ike 0:Remote_VPN_0:3:Remote_VPN:3: sending SNMP tunnel UP trap
2024-02-16 09:19:08.140849 ike 0:Remote_VPN_0:3: enc 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000000A00100001843BEF733ED3ECEB036F1C99B2BC6E0BCAB6E85EA0A00004000000001000000010000003403030401410FCE9B00000028010300008004000280050002800100010002000400000E1080010002000200040003D09005000014BB67CBC4DE02C91409EF3C1FEA7D04F20500000C011106A5C0A8640A0000000C011106A5C8010102
2024-02-16 09:19:08.187353 ike 0:Remote_VPN_0:3: out 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000000A49D3A6224432B4FCEA7A8998BE4DA3A66988FCC861DD0CFB1FD067C7977643D0E77D83D9224CE0BAFA9590D55D086E31B6171B88924741A025C52BC8BEEFA11DB68F510C523BC789E14A5999669BE72324E27B00E7D72C6CCDCE043B10DA57141CEFDB1E39777DF3B0C96C3DA99135C5DBC7966570A07A2B877286027359C4F2FA2B9B1446E631C08
2024-02-16 09:19:08.231626 ike 0:Remote_VPN_0:3: sent IKE msg (quick_r1send): 200.1.1.2:500->192.168.100.10:500, len=164, id=6816b0e0616da50d/10f6a6579c1487be:00000001
2024-02-16 09:19:08.259178 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:08.269344 ike 0: IKEv1 exchange=Quick id=6816b0e0616da50d/10f6a6579c1487be:00000001 len=468
2024-02-16 09:19:08.285300 ike 0: in 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000001D47987475028A2404071C1677385DEE523AF889A425F45BE076230BAA3CCF660FB862F18155362D1E7E87AF8847E3EA706EE37B0C8F30FF004FBE2E0997CE77293D625BFAABA00363E3804C5AC5C220E709A61EA94B2E934A585D66B964F7BFD277939F4A34269C5A52EE4D50805CDCAE30D92ED7E8D4A9261E4B6F00E3D87142A65ABC8A9633169CB4797FA22B4F93519226CAE859E70083D40C3BD00CAEEB529D28AB5C67C5C714BF0B9C6FFD85B97AF12BB151408E8A5A70F0200C4B88B041FB327CC4473CBE6B132B459E29197E892F03A8D625B617E161CC629243437CA86DB12C94F93DDD1299D89EB29E4333C3F9E90C8C1EA5902CC4F2FC64CF9323A2C61ED96B888949C4F6889CC68F473C1180F47A4189E194C8D1A012B0947DA6E96DA634CA98015FC25B10D1A1641C73E7651E147558CC1C8CB964CE31614998639FB8995EC0F4BCD3CC36EC556CBBE372256D13290F475F4247CE29445773EE228B1C1C4E2CC04B38CF25B392B214D41D72FEF638ECCAD9EADC49C96FAFC1998BDD36A5B820086355DE9C960E929017CD7EC48D06F34E5634794CDBA6ABB01A4754DB9B9BCA0EDF2C2C713FFD82200B6015A6DCD411FAEC892
2024-02-16 09:19:08.404501 ike 0:Remote_VPN_0:3:Remote_VPN:3: retransmission, re-send last message
2024-02-16 09:19:08.413780 ike 0:Remote_VPN_0:3: out 6816B0E0616DA50D10F6A6579C1487BE0810200100000001000000A49D3A6224432B4FCEA7A8998BE4DA3A66988FCC861DD0CFB1FD067C7977643D0E77D83D9224CE0BAFA9590D55D086E31B6171B88924741A025C52BC8BEEFA11DB68F510C523BC789E14A5999669BE72324E27B00E7D72C6CCDCE043B10DA57141CEFDB1E39777DF3B0C96C3DA99135C5DBC7966570A07A2B877286027359C4F2FA2B9B1446E631C08
2024-02-16 09:19:08.455934 ike 0:Remote_VPN_0:3: sent IKE msg (retransmit): 200.1.1.2:500->192.168.100.10:500, len=164, id=6816b0e0616da50d/10f6a6579c1487be:00000001
2024-02-16 09:19:08.480513 ike 0: comes 192.168.100.10:500->200.1.1.2:500,ifindex=3....
2024-02-16 09:19:08.489759 ike 0: IKEv1 exchange=Quick id=6816b0e0616da50d/10f6a6579c1487be:00000001 len=60
2024-02-16 09:19:08.502610 ike 0: in 6816B0E0616DA50D10F6A6579C1487BE08102001000000010000003C0874C5385ED9172F4A013984D4A98513FDEB34482DDEC34B1BD76F0B938685D0
2024-02-16 09:19:08.517474 ike 0:Remote_VPN_0:3: dec 6816B0E0616DA50D10F6A6579C1487BE08102001000000010000003C00000018816D02DD4ABB75611210A99014BED448522979C10000000000000000
2024-02-16 09:19:08.535565 ike 0:Remote_VPN_0:Remote_VPN:3: send SA_DONE SPI 0xb1083ae8
2024-02-16 09:19:14.250613 ike shrank heap by 159744 bytes

no object in the end
Command fail. Return code -160

FGT_NEXT_Firewall # dia
FGT_NEXT_Firewall #
FGT_NEXT_Firewall # diagnose debug disable

FGT_NEXT_Firewall #
FGT_NEXT_Firewall #
FGT_NEXT_Firewall #
FGT_NEXT_Firewall # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Remote_VPN_0 ver=1 serial=7 200.1.1.2:0->192.168.100.10:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc run_state=1 role=primary accept_traffic=1 overlay_id=0

parent=Remote_VPN index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=1 olast=1 ad=/0
stat: rxp=76 txp=33 rxb=11367 txb=1895
dpd: mode=on-demand on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Remote_VPN proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:200.1.1.2-200.1.1.2:1701
dst: 17:192.168.100.10-192.168.100.10:0
SA: ref=3 options=20182 type=00 soft=0 mtu=1470 expire=3527/0B replaywin=2048
seqno=22 esn=0 replaywin_lastseq=0000004c qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3590/3600
dec: spi=410fce9b esp=3des key=24 5cde951504b11144ba288e4382bb58c3497bb957907a84ed
ah=sha1 key=20 161c45918595f9f0cda45683de92176b81ac826c
enc: spi=b1083ae8 esp=3des key=24 fa74bb7f7848ede04f1c2f46c1a86e09e0497403629271b6
ah=sha1 key=20 b8aa6bdcb9a338877129268859f3625ccefb825a
dec:pkts/bytes=152/22734, enc:pkts/bytes=66/4887
------------------------------------------------------
name=Remote_VPN ver=1 serial=3 200.1.1.2:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=1 refcnt=15 ilast=42951128 olast=42951128 ad=/0
stat: rxp=433 txp=264 rxb=49683 txb=14020
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=1
ipv4 route tree:
192.168.100.10->192.168.100.10 0

FGT_NEXT_Firewall # diagnose vpn tunnel list name Remote_VPN_0
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=Remote_VPN_0 ver=1 serial=7 200.1.1.2:0->192.168.100.10:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc run_state=1 role=primary accept_traffic=1 overlay_id=0

parent=Remote_VPN index=0
proxyid_num=1 child_num=0 refcnt=7 ilast=1 olast=1 ad=/0
stat: rxp=78 txp=35 rxb=11419 txb=1987
dpd: mode=on-demand on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Remote_VPN proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:200.1.1.2-200.1.1.2:1701
dst: 17:192.168.100.10-192.168.100.10:0
SA: ref=3 options=20182 type=00 soft=0 mtu=1470 expire=3517/0B replaywin=2048
seqno=24 esn=0 replaywin_lastseq=0000004e qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3590/3600
dec: spi=410fce9b esp=3des key=24 5cde951504b11144ba288e4382bb58c3497bb957907a84ed
ah=sha1 key=20 161c45918595f9f0cda45683de92176b81ac826c
enc: spi=b1083ae8 esp=3des key=24 fa74bb7f7848ede04f1c2f46c1a86e09e0497403629271b6
ah=sha1 key=20 b8aa6bdcb9a338877129268859f3625ccefb825a
dec:pkts/bytes=156/22838, enc:pkts/bytes=70/5139

FGT_NEXT_Firewall #show firewall policy
edit 2
set name "vpn_Remote_VPN_l2tp"
set uuid 6437e92a-cced-51ee-25d6-9757570e6f5f
set srcintf "Remote_VPN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "L2TP"
set logtraffic all
set comments "VPN: Remote_VPN (Created by VPN wizard)"
next
edit 3
set name "vpn_Remote_VPN_remote_0"
set uuid 6473a3b6-cced-51ee-4d03-70cb8b2c12e8
set srcintf "Remote_VPN"
set dstintf "LAN_ZONE"
set srcaddr "Remote_VPN_range"
set dstaddr "LAN_subnet"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: Remote_VPN (Created by VPN wizard)"
set nat enable
next
end

Note - If you look at the status of VPN, is showing status - status: established 184-184s ago = 90ms

Umesh · ‎02-18-2024

Dear All,

Anyone can update based on above log.

Why I am not able to connect internal networks.