Technical Tip: Missing Phase1 parameter 'set local-gw' triggers 'unknown SPI' issue

Description

This article describes how the missing parameter 'set local-gw' under the phase1 interface can trigger issues between two IPsec endpoints.
Command 'set local-gw A.B.C.D' defines the source address used for self-originated outbound IKE packets and it is also the destination address for inbound IKE packets.

Scope

All FortiGate.

Topology and Prerequisite

-> FGT1 and FGT2 have an IPsec tunnel (named VPN11) between loopback11 interfaces 110.110.110.110 and 220.220.220.220 respectively.
-> FGT1 has static route for 220.220.220.220 via 172.16.1.11 (next-hop router via port3).

-> FGT2 has static route for 110.110.110.110 via 172.16.2.11 (next-hop router via port3).
-> Both, FGT1 and FGT2 have 'set dpd on-idle' (trigger Dead Peer Detection when IPsec is idle).

-> FGT1 does not have 'set local-gw' (this requirement is not enforced by the CLI) while FGT2 has correctly configured local-gw (220.220.220.220).

FGT1 (VPN11) # show
# config vpn ipsec phase1-interface
    edit "VPN11"
    set interface "Loopback11"
    set keylife 28800
    set peertype any
    set net-device disable
    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
    set dpd on-idle
    set dhgrp 5
    set nattraversal forced
    set remote-gw 220.220.220.220
    set psksecret ENC XXX
    set dpd-retryinterval 10
    next
end

FGT2 (VPN11) # show
# config vpn ipsec phase1-interface
    edit "VPN11"
        set interface "Loopback11"
        set local-gw 220.220.220.220
        set keylife 28800
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set dhgrp 5
        set remote-gw 110.110.110.110
        set psksecret ENC XXX
        set dpd-retryinterval 10
    next
end

Issue

There are few clear indications of what goes wrong.

1) DPD packets - incorrect FGT1 IP address. (172.16.1.10 instead of 110.110.110.110).

FGT1 # diagnose debug application ike -1
FGT1 # diagnose debug enable

ike 0:VPN11:204: sent IKE msg (R-U-THERE-ACK): 110.110.110.110:4500->220.220.220.220:4500, len=108, id=de54360623f4b930/c064c82ba4d86dc9:ab8ea769
ike 0:VPN11: link fail 0 172.16.1.10->220.220.220.220:4500 dpd=1
ike 0:VPN11: link fail ignored
ike 0:VPN11:210: notify msg received: R-U-THERE

2) Wrong local IP under VPN tunnel list. (reminder: IPSec tunnel is between 110.110.110.110 and 220.220.220.220 loopback interfaces).

FGT1 # diagnose vpn tunnel list name VPN11
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN11 ver=1 serial=1 172.16.1.10:4500->220.220.220.220:4500 dst_mtu=1500
bound_if=0 lgwy=dyn/0 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=16 ilast=1 olast=0 ad=/0
stat: rxp=1 txp=1 rxb=164 txb=84
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=40624
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=VPN11 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1422 expire=42931/0B replaywin=2048
seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42933/43200
dec: spi=df1d6c0f esp=aes key=32 b04f7b9a9094adb534d4026f32ae779cd44380fa839edddd57e3646ba3c2067a
ah=sha256 key=32 cc58451dc5c603f00c0f05816dce9711f4df6d950dfc28b106926a7d5caa5fd8
enc: spi=de8d3594 esp=aes key=32 a0cb2e2094dbb394e403e78f9bb41815e15f3fc39150207ff57d9f55822cb370
ah=sha256 key=32 0cc92decece5b09d83daa672555830aa425bbbe9eeb0a8213d87291a4c3417dd
dec:pkts/bytes=1/84, enc:pkts/bytes=1/164
run_tally=1

3)  Unknown SPI:

FGT1 # diagnose debug application ike -1
FGT1 # diagnose debug enable

ike 0:VPN11:214: notify msg received: R-U-THERE
ike 0:VPN11:214: sent IKE msg (R-U-THERE-ACK): 110.110.110.110:4500->220.220.220.220:4500, len=108, id=b309538e5372a550/2c3b7bbe286473ac:1fa9e9c6
ike 0:VPN11: NAT keep-alive 0 172.16.1.10->220.220.220.220:4500.
ike 0: unknown SPI df1d6c16 5 220.220.220.220:4500->110.110.110.110
ike 0: found VPN11 110.110.110.110 0 -> 220.220.220.220:4500
ike 0:VPN11:214:VPN11:49598: ignoring invalid SPI df1d6c16, IPsec SA just negotiated

Solution

FGT1 # config vpn ipsec phase1-interface
FGT1 (phase1-interface) edit VPN11
FGT1 (VPN11) # set local-gw 110.110.110.110

Verification:

FGT1 # diagnose vpn tunnel list name VPN11
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN11 ver=1 serial=1 110.110.110.110:4500->220.220.220.220:4500 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=16 ilast=0 olast=0 ad=/0
stat: rxp=25 txp=25 rxb=4100 txb=2100
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=40624
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=VPN11 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1422 expire=42907/0B replaywin=2048
seqno=1a esn=0 replaywin_lastseq=0000001a itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42933/43200
dec: spi=df1d6c0d esp=aes key=32 958b69ea2f0cbfd17a3d2edc3a46fb909cda67eccfea6b10c0ef59674ac6909e
ah=sha256 key=32 76c15c1ae7dcbc10e1334fc1ece6d3375dc6d4f24e1df3e3087f5d9e7578f4e0
enc: spi=de8d3592 esp=aes key=32 fed72e0cc411cfc9eb90dd8aad7f72761135b0e7d6dc12a801ec617328cb76f2
ah=sha256 key=32 684cdc17575c0a785fae1aea849d87ee2006ae53665b6505576aa8915aae7290
dec:pkts/bytes=25/2100, enc:pkts/bytes=25/4100
run_tally=1