Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
svishal
Staff
Staff

Created on ‎11-13-2023 10:23 PM Edited on ‎11-14-2023 03:52 PM By Moderator

Article Id 284177

Troubleshooting Tip: IKEv2 IPSec tunnel flaps at every IPSec rekey

Description This article covers a specific scenario where, due to a PFS mismatch, an IKEv2 tunnel will result in a tunnel flap at each IPSec rekey even though it comes up initially.
Scope

FortiGate, IPSec tunnel, IKEv2, PFS.
Solution

In contrast to IKEv1: when there is a PFS mismatch on an IPSec tunnel configured to use IKEv2, the tunnel will initially come up as expected.

It will continue to function and pass traffic without any issues until an IPSec rekey. During the IPSec rekey, the tunnel will go down, resulting in traffic disruption.

 

This is a misconfiguration. The reason why the tunnel comes up the first time is that there is only one traffic selector (for example: 0.0.0.0/0.0.0.0 to 0.0.0.0/0.0.0.0 i.e. any to any). After, the RFC for IKEv2 allows for the first IPSec SA to come up as part of completing the IKE_AUTH exchange.

As a result, following the completion of the first four messages being exchanged, the IKE and the IPSec SA (Security Association) come up and can start passing traffic over the tunnel. This is because PFS settings are not exchanged in IKE_AUTH.

 

However, during an IPSec rekey, the CREATE_CHILD_SA exchange is used. Because this is when the PFS settings are sent to the peer, the mismatch will be found, the rekey will fail, and the tunnel will go down.

 

The solution is to configure the IKEv2 IPSec tunnel properly, with PFS settings matched at both ends.

 

Example of issue debugs:

Example 1: This device is the initiator for the CREATE_CHILD_SA exchange:

 

2023-10-19 10:36:04.712413 ike 0:pmbho-rto:7018725: received create-child request
2023-10-19 10:36:04.712418 ike 0:pmbho-rto:7018725: responder received CREATE_CHILD exchange
2023-10-19 10:36:04.712424 ike 0:pmbho-rto:7018725: responder creating new child
2023-10-19 10:36:04.712442 ike 0:pmbho-rto:7018725:13823377: peer proposal:
2023-10-19 10:36:04.712449 ike 0:pmbho-rto:7018725:13823377: TSi_0 0:10.0.0.0-10.0.0.255:0
2023-10-19 10:36:04.712455 ike 0:pmbho-rto:7018725:13823377: TSr_0 0:172.100.100.136-172.100.100.143:0
2023-10-19 10:36:04.712460 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: comparing selectors
2023-10-19 10:36:04.712469 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: matched by rfc-rule-2
2023-10-19 10:36:04.712473 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: phase2 matched by subset
2023-10-19 10:36:04.712479 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: accepted proposal:
2023-10-19 10:36:04.712485 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: TSi_0 0:10.0.0.0-10.0.0.255:0
2023-10-19 10:36:04.712491 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: TSr_0 0:172.100.100.136-172.100.100.143:0
2023-10-19 10:36:04.712496 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: autokey
2023-10-19 10:36:04.712503 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: incoming child SA proposal:
2023-10-19 10:36:04.712509 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: proposal id = 1:
2023-10-19 10:36:04.712518 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: protocol = ESP:
2023-10-19 10:36:04.712521 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: encapsulation = TUNNEL
2023-10-19 10:36:04.712526 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ENCR, val=AES_CBC (key_len = 256)
2023-10-19 10:36:04.712530 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=INTEGR, val=SHA256
2023-10-19 10:36:04.712533 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ESN, val=NO
2023-10-19 10:36:04.712538 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: PFS is disabled
2023-10-19 10:36:04.712542 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: my proposal:
2023-10-19 10:36:04.712545 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: proposal id = 1:
2023-10-19 10:36:04.712549 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: protocol = ESP:
2023-10-19 10:36:04.712553 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: encapsulation = TUNNEL
2023-10-19 10:36:04.712557 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ENCR, val=AES_CBC (key_len = 256)
2023-10-19 10:36:04.712561 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=INTEGR, val=SHA256
2023-10-19 10:36:04.712564 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=DH_GROUP, val=MODP2048
2023-10-19 10:36:04.712568 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ESN, val=NO
2023-10-19 10:36:04.712572 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: lifetime=43200
2023-10-19 10:36:04.712576 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: no proposal chosen
2023-10-19 10:36:04.712589 ike Negotiate SA Error: 2023-10-19 10:36:04.712592 ike 2023-10-19 10:36:04.712595 ike [1468]
2023-10-19 10:36:04.712598 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: responder preparing CREATE_CHILD message
2023-10-19 10:36:04.712605 ike 0:pmbho-rto:7018725: enc 000000080000000E0706050403020107
2023-10-19 10:36:04.712615 ike 0:pmbho-rto:7018725: out 24BEF7BC6260B90F1DC341428262099B2E202420000000130000005029000034083494B83272C226C45EDD3364B251CFE0154C066802AC
7B1151A76FC2C11FBB1DA07E4F1F57BDC4EEBA565E3C76A74F
2023-10-19 10:36:04.712627 ike 0:pmbho-rto:7018725: sent IKE msg (CREATE_CHILD_RESPONSE): 10.11.11.11:500->10.12.12.12:500, len=80, id=24bef7bc6260b90f/1dc3414282
62099b:00000013
2023-10-19 10:36:04.712641 ike 0:pmbho-rto:7018725:13823377: no proposal chosen

 

Example 2: This device is the responder for the CREATE_CHILD_SA exchange:

 

2023-10-19 10:36:02.710224 ike 0:pmbho-rto:pmbho-rto: IPsec SA connect 9 10.11.11.11->10.12.12.12:0
2023-10-19 10:36:02.710246 ike 0:pmbho-rto:pmbho-rto: using existing connection
2023-10-19 10:36:02.710284 ike 0:pmbho-rto:pmbho-rto: config found
2023-10-19 10:36:02.710290 ike 0:pmbho-rto:pmbho-rto: IPsec SA connect 9 10.11.11.11->10.12.12.12:500 negotiating
2023-10-19 10:36:02.710364 ike 0:pmbho-rto:7018725:13823365 initiating CREATE_CHILD exchange
2023-10-19 10:36:02.710376 ike 0:pmbho-rto:7018725:pmbho-rto:13823365: PFS enabled
2023-10-19 10:36:02.710594 ike 0:pmbho-rto:7018725: enc <--output curtailed-->
2023-10-19 10:36:02.710628 ike 0:pmbho-rto:7018725: out <--output curtailed-->
2023-10-19 10:36:02.710651 ike 0:pmbho-rto:7018725: sent IKE msg (CREATE_CHILD): 10.11.11.11:500->10.12.12.12:500, len=464, id=24bef7bc6260b90f/1dc341428262099b:0
0000069
2023-10-19 10:36:02.751469 ike 0: comes 10.12.12.12:500->10.11.11.11:500,ifindex=9....
2023-10-19 10:36:02.751483 ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=24bef7bc6260b90f/1dc341428262099b:00000069 len=80
2023-10-19 10:36:02.751489 ike 0: in 24BEF7BC6260B90F1DC341428262099B2E202428000000690000005029000034C7867B9854C5A353FA3505835CBF7DC62BA2B8B7381EA48037B24F18966F89A36
3D3506A276A9258E17DD5514EA8ED54
2023-10-19 10:36:02.751496 ike 0:pmbho-rto: HA state master(2)
2023-10-19 10:36:02.751510 ike 0:pmbho-rto:7018725: dec 24BEF7BC6260B90F1DC341428262099B2E202428000000690000002829000004000000080000000E
2023-10-19 10:36:02.751516 ike 0:pmbho-rto:7018725: received create-child response
2023-10-19 10:36:02.751521 ike 0:pmbho-rto:7018725: initiator received CREATE_CHILD msg
2023-10-19 10:36:02.751526 ike 0:pmbho-rto:7018725:pmbho-rto:13823365: found child SA SPI fe84f1b0 state=3
2023-10-19 10:36:02.751532 ike 0:pmbho-rto:7018725: processing notify type NO_PROPOSAL_CHOSEN
1851
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.