Fortinet black logo

SPA with a FortiGate SD-WAN Deployment Guide

Verifying IPsec VPN tunnels on the FortiGate hub

Copy Link
Copy Doc ID 8c54df13-c519-11ee-8c42-fa163e15d75b:409176
Download PDF

Verifying IPsec VPN tunnels on the FortiGate hub

Verify that the IPsec VPN tunnels immediately appear on the FortiGate hub from all configured FortiSASE security points of presence(PoP).

On the FortiGate hub, verify that the IPsec VPN tunnels from the FortiSASE PoPs acting as spokes by going to Dashboard > Network and clicking the IPsec widget to expand it.

To verify IPsec VPN tunnels using the CLI:
  1. Run at least one of the following commands. For a VDOM-enabled hub FortiGate, enter the proper VDOM before running the command(s):

    diagnose vpn ike gateway list

    diagnose vpn tunnel list

    get vpn ipsec tunnel summary

    1. For diagnose vpn ike gateway list, confirm that the phase 1 IKE security associations (SA) for the FortiSASE security PoPs with corresponding peer IDs are established. Confirm that the IKE SA and IPsec VPN SA show created and established as 1/1. The following shows sample output for this command:

      vd: root/0 name: ToSpokes_1 version: 2 … created: 923s ago peer-id: region8-fos001-tiui7pzu-1 … IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms … direction: responder status: established 923-923s ago = 10ms proposal: aes128-sha256 child: no … PPK: no message-id sent/recv: 1/2 lifetime/rekey: 86400/85206 DPD sent/recv: 00000001/00000001 peer-id: region8-fos001-tiui7pzu-1

  2. For diagnose vpn tunnel list, confirm that the phase 2 IPsec VPN SAs for the FortiSASE security PoPs are established. Confirm that the SA field exist and are populated. The following shows sample output for this command:

    name=ToSpokes_1 ver=2 serial=3ba 208.85.68.228:4500->154.52.6.89:52270 tun_id=10.150.160.2 tun_id6=::10.0.3.147 dst_mtu=1500 dpd-link=on weight=1 bound_if=25 lgwy=static/1 tun=intf/2 mode=dial_inst/3 encap=none/9096 options[2388]=npu rgwy-chg rport-chg frag-rfc run_state=0 accept_ traffic=1 overlay_id=0 parent=ToSpokes index=1 proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=s/1 stat: rxp=2689 txp=1042 rxb=16418 txb=18338 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=silent draft=0 interval=10 remote_port=52270 proxyid=ToSpokes proto=0 sa=1 ref=4 serial=1 ads src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=6 options=a26 type=00 soft=0 mtu=1422 expire=42258/0B replaywin=2048 seqno=411 esn=0 replaywin_lastseq=00000a80 itn=0 qat=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=fd64b472 esp=aes key=16 0ab999cd40bc420cc78556f84b37747f ah=sha1 key=20 2e9f19e91d696d530adefb3d219ad1c74d08dcd8 enc: spi=14c9a05c esp=aes key=16 5446e233d666319b8f88fd1768f774b0 ah=sha1 key=20 15989dc3ef5fd1d0b385df93241e0d6a0b373826 dec:pkts/bytes=2689/16346, enc:pkts/bytes=1042/21844 npu_flag=03 npu_rgwy=154.52.6.89 npu_lgwy=208.85.68.228 npu_selid=33d dec_npuid=1 enc_npuid=1

  3. For get vpn ipsec tunnel summary, confirm that the phase 2 IPsec VPN selectors for the FortiSASE security PoPs are sending and receiving traffic. Confirm that selectors(total,up): 1/1, rx(pkt,err), and tx(pkt,err) are non-zero. The following shows sample output for this command:

    'ToSpokes_0' 154.52.29.50:64916 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1043/0 'ToSpokes_1' 154.52.6.89:52270 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1042/0 'ToSpokes_2' 50.208.126.11:0 selectors(total,up): 1/1 rx(pkt,err): 22149/0 tx(pkt,err): 55050/37 … 'ToSpokes_4' 206.47.184.245:64916 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1043/0 …

Verifying IPsec VPN tunnels on the FortiGate hub

Verify that the IPsec VPN tunnels immediately appear on the FortiGate hub from all configured FortiSASE security points of presence(PoP).

On the FortiGate hub, verify that the IPsec VPN tunnels from the FortiSASE PoPs acting as spokes by going to Dashboard > Network and clicking the IPsec widget to expand it.

To verify IPsec VPN tunnels using the CLI:
  1. Run at least one of the following commands. For a VDOM-enabled hub FortiGate, enter the proper VDOM before running the command(s):

    diagnose vpn ike gateway list

    diagnose vpn tunnel list

    get vpn ipsec tunnel summary

    1. For diagnose vpn ike gateway list, confirm that the phase 1 IKE security associations (SA) for the FortiSASE security PoPs with corresponding peer IDs are established. Confirm that the IKE SA and IPsec VPN SA show created and established as 1/1. The following shows sample output for this command:

      vd: root/0 name: ToSpokes_1 version: 2 … created: 923s ago peer-id: region8-fos001-tiui7pzu-1 … IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms … direction: responder status: established 923-923s ago = 10ms proposal: aes128-sha256 child: no … PPK: no message-id sent/recv: 1/2 lifetime/rekey: 86400/85206 DPD sent/recv: 00000001/00000001 peer-id: region8-fos001-tiui7pzu-1

  2. For diagnose vpn tunnel list, confirm that the phase 2 IPsec VPN SAs for the FortiSASE security PoPs are established. Confirm that the SA field exist and are populated. The following shows sample output for this command:

    name=ToSpokes_1 ver=2 serial=3ba 208.85.68.228:4500->154.52.6.89:52270 tun_id=10.150.160.2 tun_id6=::10.0.3.147 dst_mtu=1500 dpd-link=on weight=1 bound_if=25 lgwy=static/1 tun=intf/2 mode=dial_inst/3 encap=none/9096 options[2388]=npu rgwy-chg rport-chg frag-rfc run_state=0 accept_ traffic=1 overlay_id=0 parent=ToSpokes index=1 proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0 ad=s/1 stat: rxp=2689 txp=1042 rxb=16418 txb=18338 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=silent draft=0 interval=10 remote_port=52270 proxyid=ToSpokes proto=0 sa=1 ref=4 serial=1 ads src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=6 options=a26 type=00 soft=0 mtu=1422 expire=42258/0B replaywin=2048 seqno=411 esn=0 replaywin_lastseq=00000a80 itn=0 qat=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=fd64b472 esp=aes key=16 0ab999cd40bc420cc78556f84b37747f ah=sha1 key=20 2e9f19e91d696d530adefb3d219ad1c74d08dcd8 enc: spi=14c9a05c esp=aes key=16 5446e233d666319b8f88fd1768f774b0 ah=sha1 key=20 15989dc3ef5fd1d0b385df93241e0d6a0b373826 dec:pkts/bytes=2689/16346, enc:pkts/bytes=1042/21844 npu_flag=03 npu_rgwy=154.52.6.89 npu_lgwy=208.85.68.228 npu_selid=33d dec_npuid=1 enc_npuid=1

  3. For get vpn ipsec tunnel summary, confirm that the phase 2 IPsec VPN selectors for the FortiSASE security PoPs are sending and receiving traffic. Confirm that selectors(total,up): 1/1, rx(pkt,err), and tx(pkt,err) are non-zero. The following shows sample output for this command:

    'ToSpokes_0' 154.52.29.50:64916 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1043/0 'ToSpokes_1' 154.52.6.89:52270 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1042/0 'ToSpokes_2' 50.208.126.11:0 selectors(total,up): 1/1 rx(pkt,err): 22149/0 tx(pkt,err): 55050/37 … 'ToSpokes_4' 206.47.184.245:64916 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1043/0 …