Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
ssriswadpong
Staff
Staff

Created on ‎09-27-2020 06:47 PM

Article Id 191034

Technical Tip: How to troubleshooting IPsec VPNs on FortiProxy

Description
This article describes how to debug and troubleshoot IPsec VPN tunnels.

Almost of FortiProxy’s commands are same as FortiGate’s, but not for IPsec troubleshooting. FortiProxy has its own command.

Solution
The command is:
# diagnose ipsec connect <phase1name> <phase2name>
In these example phase1name and phase2name are 'ipsecvpn'.

Sample of output if VPN tunnel can be establishing:
FortiProxy # diagnose ipsec connect ipsecvpn ipsecvpn
[ENC] generating QUICK_MODE request 3312549748 [ HASH SA No KE ID ID ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (492 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (444 bytes)
[ENC] parsed QUICK_MODE response 3312549748 [ HASH SA No KE ID ID ]
[IKE] received 28800s lifetime, configured 0s
[IKE] received 36908000 lifebytes, configured 36908748
[IKE] CHILD_SA ipsecvpn{4} established with SPIs c581cf90_i b7f42e3f_o and TS 10.207.0.0/22 === 10.237.0.0/22
[ENC] generating QUICK_MODE request 3312549748 [ HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (76 bytes)
Initiate completed successfully.

Sample of output if VPN tunnel cannot be establishing (retransmission):
FortiProxy # diagnose ipsec connect ipsecvpn ipsecvpn
[IKE] initiating Main Mode IKE_SA ipsecvpn[35] to 10.177.1.188
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (560 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (188 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received DPD vendor ID
[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
[IKE] received FRAGMENTATION vendor ID
[IKE] received FRAGMENTATION vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (396 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (92 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[IKE] received retransmit of response with ID 0, but next request already sent
[IKE] sending retransmit 1 of request message ID 0, seq 3
If VPN tunnel cannot be brought up, please check phase1/phase2 settings and make sure all parameters are correct and run debug or check log on remote gateway to figure out the problem.

Other useful commands.
# diagnose ipsec reload-ipsec
# diagnose ipsec reload-ca
'reload-ipsec' is necessary after applying some changes on phase1 or phase2 settings.

Labels:
2144
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.