Troubleshooting IPsec VPN Web site-to-Web site connections on a FortiGate firewall may be difficult as a result of advanced nature of VPN connections. Right here’s a structured method to diagnose and resolve frequent IPsec VPN issues between two websites: “Headquarter” and “Branch”.
Topology
Step 1: Confirm the VPN Configuration
Test Section 1 and Section 2 Settings
- Be sure that each phases of the VPN configuration match on each the FortiGate machine and the peer or endpoint. Key parameters to verify embody:
- WAN interface related to IPSec tunnel
- IKE model (IKEv1 or IKEv2) (IKEv1 has two modes: Fundamental and Aggressive)
- Distant gateway
- Pre-shared key
- Encryption algorithms
- Hash algorithms
- Diffie-Hellman teams
- Section 2 selectors
Section 1 and a pair of Configuration on “Headquarter”
Section 1 and a pair of Configuration on “Branch”
Guarantee Static Routes Are Accurately Configured
Be aware: The command #set machine "Headquater" refers back to the IPSec tunnel interface.
Evaluate Firewall Insurance policies Used for IPsec
- Confirm that the insurance policies, Inbound and Outbound are appropriately configured to permit visitors from and to the VPN.
- Examine NAT configuration, as improper NAT guidelines can intrude with VPN visitors. Be sure that NAT traversal is configured if required.
Step 2: Verify Safety Associations (SAs)
- Test SAs: Use the CLI command
diag vpn ike gatewayto verify the standing of IKE SAs anddiag vpn tunnel checklistto view the IPsec SAs. These instructions will point out if the tunnels are up and supply data on their present stage. - Section 1 checks
# diagnose vpn ike gateway checklist title
The necessary subject from this specific command is standing. The standing subject has a discrete output that may be both linked or established.
- Established means Section 1 is up and working.
- Connecting means Section 1 is down
If the standing of Section 1 is in a longtime state, then deal with Section 2.
#diagnose vpn tunnel checklist title
The necessary subject from the actual output is the ‘sa’. SA can have three values:
- sa=0 signifies there’s a mismatch between selectors or no visitors is being initiated.
- sa=1 signifies IPsec SA is matching and there may be visitors between the selectors.
- sa=2 is just seen throughout IPsec SA rekey
- Search for mismatches: Any mismatch in SAs between your FortiGate and the peer could cause the tunnel to fail.
- With a purpose to determine errors, run IKE debugging as talked about in Step 3.
Step 2: Test Community Connectivity
If Section 1 will not be established, conduct additional diagnostics to find out the trigger. Confirm bidirectional connectivity between the VPN gateways is operational.
Validate Connectivity
- Guarantee that there’s community connectivity between the VPN gateways. This may be checked utilizing instruments like ping or traceroute.
# execute ping
# execute traceroute
Be aware: You could possibly presumably must have a supply ip to ping/traceroute, add
#execute ping-options supply previous to performing ping and
#execute traceroute-options supply previous to traceroute
- Examine routes to make sure that the proper routes are in place on each VPN gadgets to route visitors by means of the VPN tunnel.
- Verify that IKE visitors for port 500 or 4500 will not be blocked someplace alongside the trail, utilizing a packet sniffer.
Capturing IKE Packets
When NAT will not be used:
# diag sniffer packet "host and udp port 500" 6 0 l
When NAT is used (with NAT traversal enabled beneath phase1):
# diagnose sniffer packet any 'host and udp port 500 or udp port 4500' 4 0 l
6: Print header and information from Ethernet of packets (if out there) with the interface title. (I normally favor to make use of 4 – print header of packets with interface title)0: Limitless variety of packets might be captured.l: Absolute LOCAL time,yyyy-mm-dd hh:mm:ss.ms.
Step 3: Look at IPSec and Debug Logs
Use Log Messages
- FortiGate gives detailed logs that may assist determine which a part of the VPN connection is failing. Test the occasion log for any error messages associated to IPsec.
Allow Detailed Debug Logs
- If logs usually are not offering sufficient data, you may allow detailed debugging for IPsec processes. Use the next CLI instructions:
#diagnose vpn ike log-filter clear
#diagnose vpn ike log-filter dst-addr4
#diagnose debug utility ike -1
#diagnose debug console timestamp allow
#diagnose debug allow
Be aware: Ranging from FortiOS v7.4.1, the command diagnose vpn ike log-filter src-addr4 has been modified to diagnose vpn ike log filter loc-addr4.
Test Packet Circulate
#diagnose debug move filter addr
#diagnose debug move filter proto 17
#diagnose debug move present function-name enable
#diagnose debug allow
#diagnose debug console timestamp allow
#diagnose debug move hint begin 99
Be aware: In command #diagnose debug move filter proto 17
- UDP – 17
- TCP – 6
- ICMP – 1
Keep in mind to show off debugging after you’re achieved to keep away from filling up the log storage.
#diagnose debug disable
To reset all filters to the defaults:
#diagnose debug reset
Step 4: Further Checks
- Peer IP modifications: If the IP handle of the VPN peer has modified, the tunnel is not going to be established.
-
MTU Points: Test and regulate MTU settings on VPN interfaces to stop fragmentation points that would have an effect on VPN efficiency.
-
Interface errors/drops:
#fnsysctl ifconfig or
Step 5: Seek the advice of FortiGate Documentation
- FortiGate documentation: For extra particular error codes or messages, confer with the FortiGate documentation or data base articles that present options tailor-made to specific points.
Conclusion
Troubleshooting IPsec VPNs entails a cautious technique of elimination, checking configurations, logs, and community settings. By systematically working by means of these steps, you may determine and resolve the problems affecting your VPN connection.