Created on 04-27-2022 07:38 AM Edited on 04-27-2022 08:13 AM By Anonymous
Description
This article describes how the missing parameter 'set local-gw' under the phase1 interface can trigger issues between two IPsec endpoints.
Command 'set local-gw A.B.C.D' defines the source address used for self-originated outbound IKE packets and it is also the destination address for inbound IKE packets.
Scope
All FortiGate.
Topology and Prerequisite
-> FGT1 and FGT2 have an IPsec tunnel (named VPN11) between loopback11 interfaces 110.110.110.110 and 220.220.220.220 respectively.
-> FGT1 has static route for 220.220.220.220 via 172.16.1.11 (next-hop router via port3).
-> FGT2 has static route for 110.110.110.110 via 172.16.2.11 (next-hop router via port3).
-> Both, FGT1 and FGT2 have 'set dpd on-idle' (trigger Dead Peer Detection when IPsec is idle).
-> FGT1 does not have 'set local-gw' (this requirement is not enforced by the CLI) while FGT2 has correctly configured local-gw (220.220.220.220).
FGT1 (VPN11) # show
# config vpn ipsec phase1-interface
edit "VPN11"
set interface "Loopback11"
set keylife 28800
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set dhgrp 5
set nattraversal forced
set remote-gw 220.220.220.220
set psksecret ENC XXX
set dpd-retryinterval 10
next
end
FGT2 (VPN11) # show
# config vpn ipsec phase1-interface
edit "VPN11"
set interface "Loopback11"
set local-gw 220.220.220.220
set keylife 28800
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set dhgrp 5
set remote-gw 110.110.110.110
set psksecret ENC XXX
set dpd-retryinterval 10
next
end
Issue
There are few clear indications of what goes wrong.
1) DPD packets - incorrect FGT1 IP address. (172.16.1.10 instead of 110.110.110.110).
FGT1 # diagnose debug application ike -1
FGT1 # diagnose debug enable
ike 0:VPN11:204: sent IKE msg (R-U-THERE-ACK): 110.110.110.110:4500->220.220.220.220:4500, len=108, id=de54360623f4b930/c064c82ba4d86dc9:ab8ea769
ike 0:VPN11: link fail 0 172.16.1.10->220.220.220.220:4500 dpd=1
ike 0:VPN11: link fail ignored
ike 0:VPN11:210: notify msg received: R-U-THERE
2) Wrong local IP under VPN tunnel list. (reminder: IPSec tunnel is between 110.110.110.110 and 220.220.220.220 loopback interfaces).
FGT1 # diagnose vpn tunnel list name VPN11
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN11 ver=1 serial=1 172.16.1.10:4500->220.220.220.220:4500 dst_mtu=1500
bound_if=0 lgwy=dyn/0 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=16 ilast=1 olast=0 ad=/0
stat: rxp=1 txp=1 rxb=164 txb=84
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=40624
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=VPN11 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1422 expire=42931/0B replaywin=2048
seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42933/43200
dec: spi=df1d6c0f esp=aes key=32 b04f7b9a9094adb534d4026f32ae779cd44380fa839edddd57e3646ba3c2067a
ah=sha256 key=32 cc58451dc5c603f00c0f05816dce9711f4df6d950dfc28b106926a7d5caa5fd8
enc: spi=de8d3594 esp=aes key=32 a0cb2e2094dbb394e403e78f9bb41815e15f3fc39150207ff57d9f55822cb370
ah=sha256 key=32 0cc92decece5b09d83daa672555830aa425bbbe9eeb0a8213d87291a4c3417dd
dec:pkts/bytes=1/84, enc:pkts/bytes=1/164
run_tally=1
3) Unknown SPI:
FGT1 # diagnose debug application ike -1
FGT1 # diagnose debug enable
ike 0:VPN11:214: notify msg received: R-U-THERE
ike 0:VPN11:214: sent IKE msg (R-U-THERE-ACK): 110.110.110.110:4500->220.220.220.220:4500, len=108, id=b309538e5372a550/2c3b7bbe286473ac:1fa9e9c6
ike 0:VPN11: NAT keep-alive 0 172.16.1.10->220.220.220.220:4500.
ike 0: unknown SPI df1d6c16 5 220.220.220.220:4500->110.110.110.110
ike 0: found VPN11 110.110.110.110 0 -> 220.220.220.220:4500
ike 0:VPN11:214:VPN11:49598: ignoring invalid SPI df1d6c16, IPsec SA just negotiated
Solution
FGT1 # config vpn ipsec phase1-interface
FGT1 (phase1-interface) edit VPN11
FGT1 (VPN11) # set local-gw 110.110.110.110
Verification:
FGT1 # diagnose vpn tunnel list name VPN11
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN11 ver=1 serial=1 110.110.110.110:4500->220.220.220.220:4500 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=16 ilast=0 olast=0 ad=/0
stat: rxp=25 txp=25 rxb=4100 txb=2100
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=40624
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=VPN11 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1422 expire=42907/0B replaywin=2048
seqno=1a esn=0 replaywin_lastseq=0000001a itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42933/43200
dec: spi=df1d6c0d esp=aes key=32 958b69ea2f0cbfd17a3d2edc3a46fb909cda67eccfea6b10c0ef59674ac6909e
ah=sha256 key=32 76c15c1ae7dcbc10e1334fc1ece6d3375dc6d4f24e1df3e3087f5d9e7578f4e0
enc: spi=de8d3592 esp=aes key=32 fed72e0cc411cfc9eb90dd8aad7f72761135b0e7d6dc12a801ec617328cb76f2
ah=sha256 key=32 684cdc17575c0a785fae1aea849d87ee2006ae53665b6505576aa8915aae7290
dec:pkts/bytes=25/2100, enc:pkts/bytes=25/4100
run_tally=1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.