Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff

Created on ‎02-25-2015 08:13 AM

Article Id 197696

Technical Note: Configuring IPsec concentrator and multiple phase2 with same destination

Description
When configuring a FortiGate as an IPsec concentrator where multiple phase2 are configured with the same destination subnet, it could be seen that one phase2 is working correctly and the others are not. This may be because the FortiGate is by default matching phase2 selectors based on destination.

Solution
Enable to check source and destination to match correct phase2.

config vpn ipsec concentrator
edit <concentrator_name>
set src-check enable
end

When facing the issue and issuing the command below you can see only first phase2 in the list is passing traffic in both directions "dec:pkts/bytes, enc:pkts/bytes" and counters increase; other phase2 is never matched in one direction. In this example since destination is same for both phase2, the second one has no outgoing counters "enc:pkts/bytes=0/0"First phase2 is always matched even if actual traffic is from 192.168.1.0/24 so outgoing traffic will be wrongly encrypted using SPI of first phase2, then sent inside the tunnel.

# diagnose vpn tunnel list name <PHASE1_NAME>

list ipsec tunnel by names in vd 0
------------------------------------------------------
name=<PHASE1_NAME> ver=1 serial=9 60.100.200.1:0->90.100.100.1:0 lgwy=static tun=tunnel mode=auto bound_if=26
proxyid_num=12 child_num=0 refcnt=25 ilast=3 olast=3
stat: rxp=502 txp=523 rxb=95376 txb=155927
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1165
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=<PHASE2_A> proto=0 sa=1 ref=2 auto_negotiate=0 serial=2
  src: 0:192.168.0.0/255.255.255.0:0
  dst: 0:10.10.2.0/255.255.255.0:0
  SA: ref=3 options=0000000e type=00 soft=0 mtu=1412 expire=566
replaywin=2048 seqno=20c
  life: type=01 bytes=0/0 timeout=1749/1800
  dec: spi=98e56816 esp=aes key=24 09e4f86d47d4655454245c545462545edb1ed5b9dabf0dcc
       ah=sha1 key=20 907fa8fff792b44d10756b545652566464566331
  enc: spi=6e863238 esp=aes key=24 03a502be75454236987556563656686868454643de17ce1f
       ah=sha1 key=20 becd22db799345458585223365656596dcb7868e
  dec:pkts/bytes=466/60299, enc:pkts/bytes=523/190760
proxyid=<PHASE2_B> proto=0 sa=1 ref=2 auto_negotiate=0 serial=3
  src: 0:192.168.1.0/255.255.255.0:0
  dst: 0:10.10.2.0/255.255.255.0:0
  SA: ref=3 options=0000000e type=00 soft=0 mtu=1412 expire=574 replaywin=2048 seqno=1
  life: type=01 bytes=0/0 timeout=1747/1800
  dec: spi=98e33357 esp=aes key=24 305164ea47df36ea055825523632656656645444f02c0d19
       ah=sha1 key=20 25ba9bab8214ece258989458963369889892c13e
  enc: spi=56be8e65 esp=aes key=24 93985a1b7ad8b8512354548656658693c3ecfbd2686c4132
       ah=sha1 key=20 004015f3bc6078b2656565656569966289c483b1
  dec:pkts/bytes=7/352, enc:pkts/bytes=0/0

1865
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.