Fortinet black logo

Cookbook

FortiGate as dialup client

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:6896
Download PDF

FortiGate as dialup client

This is a sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office FortiGate connects via dialup IPsec VPN to the HQ FortiGate.

You can configure dialup IPsec VPN with FortiGate as the dialup client using the GUI or CLI.

To configure IPsec VPN with FortiGate as the dialup client in the GUI:
  1. Configure the dialup VPN server FortiGate:
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Incoming Interface, select the incoming interface.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter your-psk as the key.
      4. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure the Local Subnets as 10.1.100.0/24.
      3. Configure the Remote Subnets as 172.16.101.0/24.
      4. Click Create.
  2. Configure the dialup VPN client FortiGate:
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select This site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For IP Address, enter 11.101.1.1.
      2. For Outgoing Interface, select port13.
      3. For Authentication Method, select Pre-shared Key.
      4. In the Pre-shared Key field, enter your-psk as the key.
      5. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface. In this example, it is port9.
      2. Configure the Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 10.1.100.0.
      4. Click Create.
To configure IPsec VPN with FortiGate as the dialup client in the CLI:
  1. In the CLI, configure the user, user group, and firewall address. Only the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the dialup client FortiGate.
    config user local
        edit "vpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "vpngroup" 
            set member "vpnuser1"
        next 
    end
    config firewall address
        edit "client_range" 
            set type iprange
            set start-ip 10.10.10.1
            set end-ip 10.10.10.200
        next 
    end
  2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in this example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
    1. Configure the HQ FortiGate.
      config system interface 
          edit "wan1"
              set vdom "root"
              set ip 11.101.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 11.101.1.2
              set device "wan1"
          next
      end
    2. Configure the branch office FortiGate.
      config system interface
          edit "port13"
              set vdom "root"
              set ip 173.1.1.1 255.255.255.0 
          next
      end
      config router static
          edit 1
              set gateway 173.1.1.2
              set device "port13"
          next
      end
  3. Configure the internal interface and protected subnet. The internal interface connects to the internal network. Traffic from this interface will route out the IPsec VPN tunnel.
    1. Configure the HQ FortiGate.
      config system interface
          edit "dmz"
              set vdom "root"
              set ip 10.1.100.1 255.255.255.0
          next
      end
      config firewall address
          edit "10.1.100.0"
              set subnet 10.1.100.0 255.255.255.0
          next
      end
    2. Configure the branch office FortiGate.
      config system interface
          edit "port9"
              set vdom "root"
              set ip 172.16.101.1 255.255.255.0 
          next
      end
      config firewall address
          edit "172.16.101.0"
              set subnet 172.16.101.0 255.255.255.0
          next
      end
  4. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.
    1. Configure the HQ FortiGate.
      config vpn ipsec phase1-interface
          edit "for_Branch"
              set type dynamic
              set interface "wan1"
              set mode aggressive
              set peertype any
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set add-route disable
              set dpd on-idle
              set xauthtype auto
              set authusrgrp "vpngroup"
              set net-device enable
              set assign-ip-from name
              set dns-mode auto
              set ipv4-split-include "10.1.100.0"
              set ipv4-name "client_range"
              set save-password enable
              set psksecret sample
              set dpd-retryinterval 60
          next
      end
    2. Configure the branch office FortiGate.
      config vpn ipsec phase1-interface
          edit "to_HQ"
              set interface "port13"
              set mode aggressive
              set peertype any
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set add-route disable
              set xauthtype client
              set authusr "vpnuser1"
              set authpasswd vpnuser1-password
              set remote-gw 11.101.1.1
              set psksecret sample
          next
      end
  5. Configure the IPsec phase2-interface.
    1. Configure the HQ FortiGate:
      config vpn ipsec phase2-interface
          edit "for_Branch_p2"
              set phase1 name "for_Branch"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    2. Configure the branch office FortiGate.
      config vpn ipsec phase2-interface 
          edit "to_HQ_p2"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  6. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
    config router static
        edit 2
            set dst 10.1.100.0 255.255.255.0
            set device "to_HQ"
        next
        edit 3
            set dst 10.1.100.0 255.255.255.0
            set blackhole enable
            set distance 254
        next
    end
  7. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate to the branch office FortiGate.
    1. Configure the HQ FortiGate.
      config firewall policy 
          edit 1
              set name "inbound"
              set srcintf "for_Branch"
              set dstintf "dmz"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Configure the branch office FortiGate.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "port9"
              set dstintf "to_HQ"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  8. Run diagnose commands to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return the following:
      vd: root/0
      name: for_Branch_0
      version: 1
      interface: wan1 5
      addr: 11.101.1.1:500 -> 173.1.1.1:500
      created: 1972s ago
      xauth-user: vpnuser1
      assigned IPv4 address: 10.10.10.1/255.255.255.252
      IKE SA: created 1/1 established 1/1 time 10/10/10 ms
      IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
      id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2
      direction: responder
      status: established 1972-1972s ago = 10ms
      proposal: aes128-sha256
      key: 8046488e92499247-fbbb4f6dfa4952d0
      lifetime/rekey: 86400/84157
      DPD sent/recv: 00000020/00000000
    2. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the following:
      list all ipsec tunnel in vd 0
      name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0
      bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options[00d0]=create_dev no-sysctlrgwy-chg
      parent=for_Branch index=0
      proxyid_num=1 child_num=0 refcnt=12 ilast=8 olast=8 ad=/0
      stat: rxp=8 txp=8 rxb=1216 txb=672
      dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:0.0.0.0-255.255.255.255:0
      SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9 esn=0 replaywin_lastseq=00000009 itn=0
      life: type=01 bytes=0/0 timeout=43190/43200
      dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
      ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
      enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
      ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206
      dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216
      
      name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0
      bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_dev
      proxyid_num=0 child_num=1 refcnt=14 ilast=8523 olast=8523 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      run_tally=0
    3. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system should return the following:
      vd: root/0
      name: to_HQ
      version: 1
      interface: port13 42
      addr: 173.1.1.1:500 -> 11.101.1.1:500
      created: 2016s ago
      assigned IPv4 address: 10.10.10.1/255.255.255.252
      IKE SA: created 1/1 established 1/1 time 0/0/0 ms
      IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
      id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2
      direction: initiator
      status: established 2016-2016s ago = 0ms
      proposal: aes128-sha256
      key: 8046488e92499247-fbbb4f6dfa4952d0
      lifetime/rekey: 86400/84083
      DPD sent/recv: 00000000/00000020
    4. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should return the following:
      list all ipsec tunnel in vd 0
      name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0
      bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
      proxyid_num=1 child_num=0 refcnt=13 ilast=18 olast=58 ad=/0
      stat: rxp=1 txp=2 rxb=152 txb=168
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41015/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 itn=0
      life: type=01 bytes=0/0 timeout=42898/43200
      dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
      ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206
      enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
      ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
      dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

FortiGate as dialup client

This is a sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office FortiGate connects via dialup IPsec VPN to the HQ FortiGate.

You can configure dialup IPsec VPN with FortiGate as the dialup client using the GUI or CLI.

To configure IPsec VPN with FortiGate as the dialup client in the GUI:
  1. Configure the dialup VPN server FortiGate:
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Incoming Interface, select the incoming interface.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter your-psk as the key.
      4. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure the Local Subnets as 10.1.100.0/24.
      3. Configure the Remote Subnets as 172.16.101.0/24.
      4. Click Create.
  2. Configure the dialup VPN client FortiGate:
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select This site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For IP Address, enter 11.101.1.1.
      2. For Outgoing Interface, select port13.
      3. For Authentication Method, select Pre-shared Key.
      4. In the Pre-shared Key field, enter your-psk as the key.
      5. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface. In this example, it is port9.
      2. Configure the Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 10.1.100.0.
      4. Click Create.
To configure IPsec VPN with FortiGate as the dialup client in the CLI:
  1. In the CLI, configure the user, user group, and firewall address. Only the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the dialup client FortiGate.
    config user local
        edit "vpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "vpngroup" 
            set member "vpnuser1"
        next 
    end
    config firewall address
        edit "client_range" 
            set type iprange
            set start-ip 10.10.10.1
            set end-ip 10.10.10.200
        next 
    end
  2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in this example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
    1. Configure the HQ FortiGate.
      config system interface 
          edit "wan1"
              set vdom "root"
              set ip 11.101.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 11.101.1.2
              set device "wan1"
          next
      end
    2. Configure the branch office FortiGate.
      config system interface
          edit "port13"
              set vdom "root"
              set ip 173.1.1.1 255.255.255.0 
          next
      end
      config router static
          edit 1
              set gateway 173.1.1.2
              set device "port13"
          next
      end
  3. Configure the internal interface and protected subnet. The internal interface connects to the internal network. Traffic from this interface will route out the IPsec VPN tunnel.
    1. Configure the HQ FortiGate.
      config system interface
          edit "dmz"
              set vdom "root"
              set ip 10.1.100.1 255.255.255.0
          next
      end
      config firewall address
          edit "10.1.100.0"
              set subnet 10.1.100.0 255.255.255.0
          next
      end
    2. Configure the branch office FortiGate.
      config system interface
          edit "port9"
              set vdom "root"
              set ip 172.16.101.1 255.255.255.0 
          next
      end
      config firewall address
          edit "172.16.101.0"
              set subnet 172.16.101.0 255.255.255.0
          next
      end
  4. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.
    1. Configure the HQ FortiGate.
      config vpn ipsec phase1-interface
          edit "for_Branch"
              set type dynamic
              set interface "wan1"
              set mode aggressive
              set peertype any
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set add-route disable
              set dpd on-idle
              set xauthtype auto
              set authusrgrp "vpngroup"
              set net-device enable
              set assign-ip-from name
              set dns-mode auto
              set ipv4-split-include "10.1.100.0"
              set ipv4-name "client_range"
              set save-password enable
              set psksecret sample
              set dpd-retryinterval 60
          next
      end
    2. Configure the branch office FortiGate.
      config vpn ipsec phase1-interface
          edit "to_HQ"
              set interface "port13"
              set mode aggressive
              set peertype any
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set add-route disable
              set xauthtype client
              set authusr "vpnuser1"
              set authpasswd vpnuser1-password
              set remote-gw 11.101.1.1
              set psksecret sample
          next
      end
  5. Configure the IPsec phase2-interface.
    1. Configure the HQ FortiGate:
      config vpn ipsec phase2-interface
          edit "for_Branch_p2"
              set phase1 name "for_Branch"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    2. Configure the branch office FortiGate.
      config vpn ipsec phase2-interface 
          edit "to_HQ_p2"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  6. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
    config router static
        edit 2
            set dst 10.1.100.0 255.255.255.0
            set device "to_HQ"
        next
        edit 3
            set dst 10.1.100.0 255.255.255.0
            set blackhole enable
            set distance 254
        next
    end
  7. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate to the branch office FortiGate.
    1. Configure the HQ FortiGate.
      config firewall policy 
          edit 1
              set name "inbound"
              set srcintf "for_Branch"
              set dstintf "dmz"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Configure the branch office FortiGate.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "port9"
              set dstintf "to_HQ"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  8. Run diagnose commands to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return the following:
      vd: root/0
      name: for_Branch_0
      version: 1
      interface: wan1 5
      addr: 11.101.1.1:500 -> 173.1.1.1:500
      created: 1972s ago
      xauth-user: vpnuser1
      assigned IPv4 address: 10.10.10.1/255.255.255.252
      IKE SA: created 1/1 established 1/1 time 10/10/10 ms
      IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
      id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2
      direction: responder
      status: established 1972-1972s ago = 10ms
      proposal: aes128-sha256
      key: 8046488e92499247-fbbb4f6dfa4952d0
      lifetime/rekey: 86400/84157
      DPD sent/recv: 00000020/00000000
    2. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the following:
      list all ipsec tunnel in vd 0
      name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0
      bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options[00d0]=create_dev no-sysctlrgwy-chg
      parent=for_Branch index=0
      proxyid_num=1 child_num=0 refcnt=12 ilast=8 olast=8 ad=/0
      stat: rxp=8 txp=8 rxb=1216 txb=672
      dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0-255.255.255.255:0
      dst: 0:0.0.0.0-255.255.255.255:0
      SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9 esn=0 replaywin_lastseq=00000009 itn=0
      life: type=01 bytes=0/0 timeout=43190/43200
      dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
      ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
      enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
      ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206
      dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216
      
      name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0
      bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_dev
      proxyid_num=0 child_num=1 refcnt=14 ilast=8523 olast=8523 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      run_tally=0
    3. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system should return the following:
      vd: root/0
      name: to_HQ
      version: 1
      interface: port13 42
      addr: 173.1.1.1:500 -> 11.101.1.1:500
      created: 2016s ago
      assigned IPv4 address: 10.10.10.1/255.255.255.252
      IKE SA: created 1/1 established 1/1 time 0/0/0 ms
      IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
      id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2
      direction: initiator
      status: established 2016-2016s ago = 0ms
      proposal: aes128-sha256
      key: 8046488e92499247-fbbb4f6dfa4952d0
      lifetime/rekey: 86400/84083
      DPD sent/recv: 00000000/00000020
    4. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should return the following:
      list all ipsec tunnel in vd 0
      name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0
      bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
      proxyid_num=1 child_num=0 refcnt=13 ilast=18 olast=58 ad=/0
      stat: rxp=1 txp=2 rxb=152 txb=168
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41015/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 itn=0
      life: type=01 bytes=0/0 timeout=42898/43200
      dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
      ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206
      enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
      ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
      dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2