Fortinet black logo

Cookbook

Results

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:6922
Download PDF

Results

On either FortiGate, navigate to Monitor > IPsec Monitor and verify that the tunnel status is Up. If it us not up, highlight the tunnel and select Bring up.

You can confirm the use of Brainpool curves by performing diagnostics on the tunnel:

  1. Go to Monitor > IPsec Monitor, highlight the tunnel and select Bring Down.
  2. Open the CLI Console (>_) and enter the following command:

diagnose debug application ike 63

diagnose debug enable

Note

63 will remove encryption hash from the debug output, making it easier to read.

Return to Monitor > IPsec Monitor and bring the tunnel up again, then view the CLI Console.

While the SA proposal negotiates the tunnel, the output of the diagnose command should be similar to the following. The relevant parts appear as bold font:

FGT_1 # ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5....

ike 0: IKEv2 exchange=INFORMATIONAL id=262e65aad12e5e8e/598faf8398c7acbe:00000001 len=80

ike 0:HQ_to_Remote:7: received informational request

ike 0:HQ_to_Remote:7: processing delete request (proto 3)

ike 0:HQ_to_Remote: deleting IPsec SA with SPI 00f82773

ike 0:HQ_to_Remote:HQ_to_Remote: deleted IPsec SA with SPI 00f82773, SA count: 0

ike 0:HQ_to_Remote: sending SNMP tunnel DOWN trap for HQ_to_Remote

ike 0:HQ_to_Remote:7: sending delete ack

ike 0:HQ_to_Remote:7: sent IKE msg (INFORMATIONAL_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=80, id=262e65aad12e5e8e/598faf8398c7acbe:00000001

ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5....

ike 0: IKEv2 exchange=CREATE_CHILD id=262e65aad12e5e8e/598faf8398c7acbe:00000002 len=656

ike 0:HQ_to_Remote:7: received create-child request

ike 0:HQ_to_Remote:7: responder received CREATE_CHILD exchange

ike 0:HQ_to_Remote:7: responder creating new child

ike 0:HQ_to_Remote:7:1: peer proposal:

ike 0:HQ_to_Remote:7:1: TSi_0 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:1: TSr_0 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: trying

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched phase2

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: accepted proposal:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSi_0 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSr_0 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: autokey

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: incoming child SA proposal:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP384BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP256BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched proposal id 1

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: lifetime=43200

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: PFS enabled, group=30

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: replay protection enabled

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life soft seconds=42929.

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life hard seconds=43200.

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: IPsec SA selectors #src=1 #dst=1

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: src 0 7 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: dst 0 7 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: add IPsec SA: SPIs=2bf96e39/00f82774

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: added IPsec SA: SPIs=2bf96e39/00f82774

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: sending SNMP tunnel UP trap

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: responder preparing CREATE_CHILD message

ike 0:HQ_to_Remote:7: sent IKE msg (CREATE_CHILD_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=336, id=262e65aad12e5e8e/598faf8398c7acbe:00000002

Note how the SA proposal finds the first matching encryption type, in this case ECP512BP (DH Group 30), which represents ‘Elliptic Curve Parameter 512-bit Brainpool Primitive’.

The diagnostic debug will run for 30 minutes, but you can stop it with these commands:

diagnose debug disable

diagnose debug reset

Results

On either FortiGate, navigate to Monitor > IPsec Monitor and verify that the tunnel status is Up. If it us not up, highlight the tunnel and select Bring up.

You can confirm the use of Brainpool curves by performing diagnostics on the tunnel:

  1. Go to Monitor > IPsec Monitor, highlight the tunnel and select Bring Down.
  2. Open the CLI Console (>_) and enter the following command:

diagnose debug application ike 63

diagnose debug enable

Note

63 will remove encryption hash from the debug output, making it easier to read.

Return to Monitor > IPsec Monitor and bring the tunnel up again, then view the CLI Console.

While the SA proposal negotiates the tunnel, the output of the diagnose command should be similar to the following. The relevant parts appear as bold font:

FGT_1 # ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5....

ike 0: IKEv2 exchange=INFORMATIONAL id=262e65aad12e5e8e/598faf8398c7acbe:00000001 len=80

ike 0:HQ_to_Remote:7: received informational request

ike 0:HQ_to_Remote:7: processing delete request (proto 3)

ike 0:HQ_to_Remote: deleting IPsec SA with SPI 00f82773

ike 0:HQ_to_Remote:HQ_to_Remote: deleted IPsec SA with SPI 00f82773, SA count: 0

ike 0:HQ_to_Remote: sending SNMP tunnel DOWN trap for HQ_to_Remote

ike 0:HQ_to_Remote:7: sending delete ack

ike 0:HQ_to_Remote:7: sent IKE msg (INFORMATIONAL_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=80, id=262e65aad12e5e8e/598faf8398c7acbe:00000001

ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5....

ike 0: IKEv2 exchange=CREATE_CHILD id=262e65aad12e5e8e/598faf8398c7acbe:00000002 len=656

ike 0:HQ_to_Remote:7: received create-child request

ike 0:HQ_to_Remote:7: responder received CREATE_CHILD exchange

ike 0:HQ_to_Remote:7: responder creating new child

ike 0:HQ_to_Remote:7:1: peer proposal:

ike 0:HQ_to_Remote:7:1: TSi_0 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:1: TSr_0 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: trying

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched phase2

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: accepted proposal:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSi_0 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSr_0 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: autokey

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: incoming child SA proposal:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP384BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP256BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched proposal id 1

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP:

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: lifetime=43200

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: PFS enabled, group=30

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: replay protection enabled

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life soft seconds=42929.

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life hard seconds=43200.

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: IPsec SA selectors #src=1 #dst=1

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: src 0 7 0:192.168.1.0-192.168.1.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: dst 0 7 0:192.168.180.0-192.168.180.255:0

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: add IPsec SA: SPIs=2bf96e39/00f82774

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: added IPsec SA: SPIs=2bf96e39/00f82774

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: sending SNMP tunnel UP trap

ike 0:HQ_to_Remote:7:HQ_to_Remote:1: responder preparing CREATE_CHILD message

ike 0:HQ_to_Remote:7: sent IKE msg (CREATE_CHILD_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=336, id=262e65aad12e5e8e/598faf8398c7acbe:00000002

Note how the SA proposal finds the first matching encryption type, in this case ECP512BP (DH Group 30), which represents ‘Elliptic Curve Parameter 512-bit Brainpool Primitive’.

The diagnostic debug will run for 30 minutes, but you can stop it with these commands:

diagnose debug disable

diagnose debug reset