FortiExtender
FortiExtender offers wireless connectivity for nearly any operational network.
vpatil
Staff
Staff
Article Id 194976
Description
This article describes how to configure and debug VPN connectivity issues on FortiExtender (FEX)
Refer admin guide and release notes on: https://docs.fortinet.com/product/fortiextender/4.1

Solution
Standalone FortiExtender-201E establishing IPSec VPN connection with FortiGate as shown below:





1) Modes of operation: Depending on the way it is managed, FortiExtender can operate in IP pass-through or NAT mode. Refer Page #15:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/355957a5-4eb5-11ea-9384-005056...




2) VPN and other features listed in the below link are supported ONLY when FEX “Modes of operation” is set to “NAT Mode”. Refer Page #17:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/355957a5-4eb5-11ea-9384-005056...
# config system management
# config <management_mode>

    set mode nat
end
3) To ensure VPN Tunnel connection is stable and maintained, ensure FEX 3G/4G LTE connection link is also stable. 
Use FEX ping command towards Internet address such as Google DNS IP address 8.8.8.8 to test FEX Internet uplink stability:
# execute ping <Internet_IP_address>


Configuration:

1) VPN configuration has to be done on both FortiExtender (FEX) and FortiGate 

2) FortiExtender side VPN config:

FortiExtender uses IPsec VPN to connect branch offices to each other.
It only supports the site-to-site VPN tunnel mode and below are FEX VPN sample config GUI screenshots:

- FEX IPSec Phase-1 config




- FortiExtender IPSec Phase-2 config




Note: For FortiExtender VPN configuration details and CLI commands, refer Page #36:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/355957a5-4eb5-11ea-9384-00505692583a/FortiExtender-4.1.3-Admin-Guide.pdf

3) FortiGate phase-1 and phase-2 VPN sample config:
# show vpn ipsec phase1-interface <VPN_Name>

# config vpn ipsec phase1-interface

    edit "<phase1_name>"
        set interface "<Interface_Name>"
        set ike-version 2
        set keylife 8000
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 5
        set remote-gw 10.13.151.226
        set psksecret ENC <secret_key>
    next
end

# show vpn ipsec phase2-interface <VPN_Name>

# config vpn ipsec phase2-interface

    edit "<phase2_name>"
        set phase1name "<phase1_name>"
        set proposal aes128-sha1
        set dhgrp 5
        set comments "<comments>"
        set keylifeseconds 86400
    next
end
For FortiGate side VPN configuration details and CLI commands, refer Page #962:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/af0e75e9-211f-11ea-9384-005056...



Debugging:

To check FortiExtender VPN tunnel status, and various other FortiExtender VPN related debug commands refer below commands:

- A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created and to check VPN Tunnel status use below commands on FEX CLI:

# get system interface

# get vpn ipsec configurations
# get vpn ipsec tunnel details

- If VPN Tunnel is not established then check if there’s any IPsec negotiation error using the below command on FEX CLI:
get vpn ipsec negotiation error
- To check if FortiExtender is responding to 'init' message from FortiGate use below tcpdump CLI commands on FortiExtender CLI, here 'lte1' is FEX interface via which IPSec traffic traverse:
# execute  tcpdump -n -i lte1
# execute  tcpdump -n -i lte1 –vv
Note: Use 'ctrl+c' keys to stop traces

Sample tcpdump logs: Here FEX logs indicate that FEX (10.13.151.226) is NOT responding to 'init' message from FortiGate (10.12.0.4) as shown below:
00:15:27.355754 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:37.345172 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:40.335761 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]


Possible causes of this issue can be as follows:


1) VPN config mismatch on FEX or Remote server. Check the configuration w.r.t proposal and ike-version on both FEX and FortiGate

2) Ensure FEX 'Modes of operation' is set to “NAT Mode' - depending on the way FEX is managed - 'Modes of operation' may vary. Refer Page #15:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/355957a5-4eb5-11ea-9384-005056...

- FEX 'IPSECD' logging can be enabled using the below commands:
# execute debug IPSECD all
# execute debug IPSECD                                      <----- To check which IPSECD submodes are turned-on.
# execute debug log-to-console on                           <----- To print IPSECD logs.

# execute debug clear                                       <----- To disable logging.
# execute debug log-to-console off                          <----- To turn-off console logs.
- Other FortiExtender VPN related CLI commands:
# get vpn certificate ca details
# get vpn certificate local details
# show config
Note: It is recommended to run FortiExtender on one of the latest version (v4.1.5 GA or v4.2 and higher version) as there is a bug fix (Bug 0620533) where 'ESP traffic dropped every 1 hour, requiring FEX reboot to fix it' – causing FEX VPN Tunnel to go down. Refer Page #12: 

Contributors