Scribd Logo
Upload

Welcome to Scribd!

  • IPsec VPN Troubleshooting - Fortinet Cookbook

    Uploaded by

    Gustavo Villanueva
    2K views12 pages
    IPSEC

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IPSEC

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views12 pages

    IPsec VPN Troubleshooting - Fortinet Cookbook

    Uploaded by

    Gustavo Villanueva
    IPSEC

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.

    com/ipsec-vpn-troubleshooting/

    IPsec VPN troubleshooting

    1 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    diagnose vpn tunnel list

    diagnose debug flow

    The options to configure policy-based IPsec VPN are unavailable.

    2 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    diagnose vpn tunnel list

    diagnose vpn tunnel list

    diagnose debug application ike -1


    diagnose debug enable

    diagnose debug reset


    diagnose debug disable

    The VPN tunnel goes down frequently.

    3 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    The pre-shared key does not match (PSK mismatch error).

    diag vpn ike log filter name <phase1-name>


    diag debug app ike -1
    diag debug enable

    ike 0:TRX:322: PSK auth failed: probable pre-shared key mismatch


    ike Negotiate SA Error:

    The SA proposals do not match (SA proposal mismatch).

    diag debug app ike -1


    diag debug enable

    responder received SA_INIT msg


    incoming proposal:
    proposal id = 1:
    protocol = IKEv2:
    encapsulation = IKEv2/none
    type=ENCR, val=AES_CBC (key_len = 256)
    type=INTEGR, val=AUTH_HMAC_SHA_96
    type=PRF, val=PRF_HMAC_SHA
    type=DH_GROUP, val=1536.
    proposal id = 2:
    protocol = IKEv2:
    encapsulation = IKEv2/none
    type=ENCR, val=3DES_CBC
    type=INTEGR, val=AUTH_HMAC_SHA_2_256_128
    type=PRF, val=PRF_HMAC_SHA2_256

    4 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    type=DH_GROUP, val=1536.
    proposal id = 1:
    protocol = IKEv2:
    encapsulation = IKEv2/none
    type=ENCR, val=AES_CBC (key_len = 128)
    type=INTEGR, val=AUTH_HMAC_SHA_96
    type=PRF, val=PRF_HMAC_SHA
    type=DH_GROUP, val=1536.

    Pre-existing IPsec VPN tunnels need to be cleared.

    diagnose vpn ike restart


    diagnose vpn ike gateway clear

    LAN interface connection

    Dialup connection

    5 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    Troubleshooting VPN connections

    To get diagnose information for the VPN connection – CLI

    diagnose debug disable

    diagnose vpn ike log-filter clear

    6 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    diagnose vpn ike log-filter dst-addr4 10.11.101.10.

    diagnose debug app ike 255


    diagnose debug enable

    diagnose debug disable

    To troubleshoot a phase1 VPN connection

    proposal

    IPsec SA connect 26 10.12.101.10->10.11.101.10:500


    config found
    created connection: 0x2f55860 26 10.12.101.10->10.11.101.10:500
    IPsec SA connect 26 10.12.101.10->10.11.101.10:500 negotiating
    no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negot
    initiator: main mode is sending 1st message...
    cookie 3db6afe559e3df0f/0000000000000000

    7 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    out [encryption]
    sent IKE msg (ident-i1send): 10.12.101.10:500->10.11.101.10:500, len=264, id=3db
    diaike 0: comes 10.12.101.1:500->10.11.101.1:500,ifindex=26....

    initiator: main mode is sending 1st message...

    VPN troubleshooting tips


    Attempting hardware offloading beyond SHA1

    Enable/disable IPsec ASIC-offloading

    config sys global


    set ipsec-asic-offload [enable|disable]
    end

    Check Phase 1 proposal settings

    Check your routing

    Try enabling XAuth

    8 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    General troubleshooting tips

    VPN troubleshooting tips

    9 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    A word about NAT devices

    Keith Leroux

    Yes No

    10 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    Fortinet Cookbook Comment Policy


    Only questions concerning our documentation will be answered. For other inquiries,
    please contact Fortinet Support.
    Please read our Comment Policy before commenting.

    13 Comments Fortinet Cookbook 1 Login

    Recommend 2 Share Sort by Newest

    Join the discussion…

    LOG IN WITH
    OR SIGN UP WITH DISQUS ?

    Hugo Fournier • 2 months ago


    Hi,

    The phase 1 is successful and then there is negotiation timeout and phase 2 does not go
    through.. Any ideas? Both settings are same on both site to site VPN ends.
    • Reply • Share ›

    Keith Leroux Hugo Fournier • 2 months ago


    Hi Hugo,

    You could attempt to increase the Keylife value, or remove some of the unnecessary
    proposals. Failing that, you'll have to contact support.fortinet.com and run some more
    diagnostics. If you come to a solution that we can add to this Troubleshooting guide,
    do let me know, I'd be happy to add it!
    • Reply • Share ›

    Hugo Fournier Keith Leroux • 2 months ago


    Thank you Keith for your quick reply, I haven't found the issue but will post if I
    can find it.

    We are getting this error now, No suitable IKE_SA, queuing CHILD_SA


    request and initiating IKE_SA negotiation, so onto something different. :)
    • Reply • Share ›

    Hugo Fournier Hugo Fournier • 6 days ago


    I found the issue, I had to use DH group 14 for aggressive mode.

    11 of 12 3/28/2018, 11:07 AM
    IPsec VPN troubleshooting - Fortinet Cookbook http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

    CONTACT |  DOCUMENTATION LIBRARY |  CLI PORTAL  |  FUSE |  VIDEOS |  SUPPORT |  CORPORATE |  LEGAL

    © 2017 Fortinet

    12 of 12 3/28/2018, 11:07 AM

    You might also like