# config system management3) To ensure VPN Tunnel connection is stable and maintained, ensure FEX 3G/4G LTE connection link is also stable.
# config <management_mode>
set mode nat
end
# execute ping <Internet_IP_address>
# show vpn ipsec phase1-interface <VPN_Name>For FortiGate side VPN configuration details and CLI commands, refer Page #962:
# config vpn ipsec phase1-interface
edit "<phase1_name>"
set interface "<Interface_Name>"
set ike-version 2
set keylife 8000
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw 10.13.151.226
set psksecret ENC <secret_key>
next
end
# show vpn ipsec phase2-interface <VPN_Name>
# config vpn ipsec phase2-interface
edit "<phase2_name>"
set phase1name "<phase1_name>"
set proposal aes128-sha1
set dhgrp 5
set comments "<comments>"
set keylifeseconds 86400
next
end
- If VPN Tunnel is not established then check if there’s any IPsec negotiation error using the below command on FEX CLI:
# get system interface
# get vpn ipsec configurations
# get vpn ipsec tunnel details
get vpn ipsec negotiation error- To check if FortiExtender is responding to 'init' message from FortiGate use below tcpdump CLI commands on FortiExtender CLI, here 'lte1' is FEX interface via which IPSec traffic traverse:
# execute tcpdump -n -i lte1Note: Use 'ctrl+c' keys to stop traces
# execute tcpdump -n -i lte1 –vv
00:15:27.355754 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:37.345172 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:40.335761 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
# execute debug IPSECD all- Other FortiExtender VPN related CLI commands:
# execute debug IPSECD <----- To check which IPSECD submodes are turned-on.
# execute debug log-to-console on <----- To print IPSECD logs.
# execute debug clear <----- To disable logging.
# execute debug log-to-console off <----- To turn-off console logs.
# get vpn certificate ca detailsNote: It is recommended to run FortiExtender on one of the latest version (v4.1.5 GA or v4.2 and higher version) as there is a bug fix (Bug 0620533) where 'ESP traffic dropped every 1 hour, requiring FEX reboot to fix it' – causing FEX VPN Tunnel to go down. Refer Page #12:
# get vpn certificate local details
# show config
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.