Fortinet black logo

Troubleshooting Guide

Home FortiExtender 7.4.3 Troubleshooting Guide
7.4.3
7.4.3

Using IPsec VPN to connect branch offices (FortiGate)

Using IPsec VPN to connect branch offices (FortiGate)

The VPN configuration process consist of the following steps:

  1. Configure phase-1 parameters.

  2. Configure phase-2 parameters.

  3. Configure firewall policies.

  4. Configure route.

Failure to establish a VPN tunnel with a peer party

Failure to establish a VPN connection is usually related to mismatching VPN tunnel configurations or a disconnected underlay network. To troubleshoot:

  1. From the FortiExtender, check if the remote peer gateway is reachable by issuing commands:

    • execute tcpdump

    • execute ping

  2. Check if there is a configuration mismatch between local and remote parties.

    1. Run get vpn ipsec negotiation error. The error message might provide additional information.

    2. From the FortiExtender GUI, navigate to Logs > VPN and read the relevant message.

      Look for the error details to determine if the error occurred during phase1 or phase2.

      • If the error occurred during phase1, check the VPN phase1-interface configuration.

        The mismatched configuration is most likely in the IKE version, pre-shared secret/certification, or proposals.

      • If the error occurred during phase2, check the VPN phase2-interface configuration, firewall policies, and traffic selector pairs.

        It is important to check the relevant firewall policies. If firewall rules are missing on the remote FortiGate peer side, the VPN might not come up.

Unstable VPN link over LTE with peer FortiGate

An unstable VPN link usually indicates that the underlay network connection is of reduced quality, such as having a link go down or an interface IP change. When the IPsec VPN tunnel is over LTE, you can run ping command towards an Internet address such as 8.8.8.8 to test LTE link stability:

# execute ping <Internet_IP_address>

Depending on the carrier setting, the LTE connection IP might be occasionally renewed, which could trigger an IPSECD process to renegotiate.

If the FortiExtender is acting as a FortiGate WAN Extension and an IPsec tunnel went through FortiExtender/LTE but terminated at FortiGate, you can check the FortiGate VPN Events log to see if the tunnel up/down events are related to a LTE link state change. Meanwhile, you can also examine the IPSec configurations such as the phase1 DPD setting and phase2 auto-negotiate enabling.

No outgoing or incoming packets via the tunnel

To allow traffic to pass through an IPSec VPN, the phase2 traffic selector/route and relevant firewall policy needs to be properly configured. Traffic selectors are used for routing desired traffic through the VPN tunnel. Data traffic is then checked by the firewall. If the VPN link is up but expected data is not passing through, you should examine the relevant traffic selectors and firewall policy configuration on both sides. Look for conflicting routes or firewall rules. You can sniff traffic using tcpdump to see where the traffic goes.

To further investigate IPSec issues, you can turn on the process "IPSECD" for debugging. This prints more details to the console or file.

To enable IPSECD debugging: 
# execute debug IPSECD             # check which IPSEC sub-modes are on
# execute debug IPSECD ike on      # turn on IKE debugging
# execute debug log-to-console on  # print IPSECD logs to console 
# execute debug log-to-console off # turn-off console logs
# execute debug clear              # clear all debug info
Previous
Next

Using IPsec VPN to connect branch offices (FortiGate)

The VPN configuration process consist of the following steps:

  1. Configure phase-1 parameters.

  2. Configure phase-2 parameters.

  3. Configure firewall policies.

  4. Configure route.

Failure to establish a VPN tunnel with a peer party

Failure to establish a VPN connection is usually related to mismatching VPN tunnel configurations or a disconnected underlay network. To troubleshoot:

  1. From the FortiExtender, check if the remote peer gateway is reachable by issuing commands:

    • execute tcpdump

    • execute ping

  2. Check if there is a configuration mismatch between local and remote parties.

    1. Run get vpn ipsec negotiation error. The error message might provide additional information.

    2. From the FortiExtender GUI, navigate to Logs > VPN and read the relevant message.

      Look for the error details to determine if the error occurred during phase1 or phase2.

      • If the error occurred during phase1, check the VPN phase1-interface configuration.

        The mismatched configuration is most likely in the IKE version, pre-shared secret/certification, or proposals.

      • If the error occurred during phase2, check the VPN phase2-interface configuration, firewall policies, and traffic selector pairs.

        It is important to check the relevant firewall policies. If firewall rules are missing on the remote FortiGate peer side, the VPN might not come up.

Unstable VPN link over LTE with peer FortiGate

An unstable VPN link usually indicates that the underlay network connection is of reduced quality, such as having a link go down or an interface IP change. When the IPsec VPN tunnel is over LTE, you can run ping command towards an Internet address such as 8.8.8.8 to test LTE link stability:

# execute ping <Internet_IP_address>

Depending on the carrier setting, the LTE connection IP might be occasionally renewed, which could trigger an IPSECD process to renegotiate.

If the FortiExtender is acting as a FortiGate WAN Extension and an IPsec tunnel went through FortiExtender/LTE but terminated at FortiGate, you can check the FortiGate VPN Events log to see if the tunnel up/down events are related to a LTE link state change. Meanwhile, you can also examine the IPSec configurations such as the phase1 DPD setting and phase2 auto-negotiate enabling.

No outgoing or incoming packets via the tunnel

To allow traffic to pass through an IPSec VPN, the phase2 traffic selector/route and relevant firewall policy needs to be properly configured. Traffic selectors are used for routing desired traffic through the VPN tunnel. Data traffic is then checked by the firewall. If the VPN link is up but expected data is not passing through, you should examine the relevant traffic selectors and firewall policy configuration on both sides. Look for conflicting routes or firewall rules. You can sniff traffic using tcpdump to see where the traffic goes.

To further investigate IPSec issues, you can turn on the process "IPSECD" for debugging. This prints more details to the console or file.

To enable IPSECD debugging: 
# execute debug IPSECD             # check which IPSEC sub-modes are on
# execute debug IPSECD ike on      # turn on IKE debugging
# execute debug log-to-console on  # print IPSECD logs to console 
# execute debug log-to-console off # turn-off console logs
# execute debug clear              # clear all debug info
Previous
Next