Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
T_L
Contributor

IPSec VPN Tunnel Initiation

Good Afternoon/ Evening!

I have a two-part-er I hope is a 'simple one' for everyone!

We have a couple dozen 3rd Party/ Interop IPSec tunnels from customers that all terminate on my CP gateway cluster_R81.10 MGT / R80.40 GWs. Outside of the normal interop weirdness that pops up when building them or troubleshooting them from time to time, everything is solid.

We recently set up a new tunnel that was stuck in phase 1 and we were convinced that we were sending the ISAKMP /key install traffic and receiving no response (captures/ debugs, etc)  --  and the techs on the 3rd party side (Fortinet)  believed they were the ones sending the traffic and getting no response. It turned out to be an ISP network issue.

- But it got us wondering how to determine which side is actually the tunnel 'initiator' - or does this concept not really apply?

- And that ties into the second part -- if you are using Smart View to troubleshoot a tunnel that does not appear at all (because it is 'down) - OR, using the CLI and the < vpn tu > commands to troubleshoot, but there are no IKE/ IPSec SAs for the specific tunnel - Is there any manual intervention that can be taken?   You can't reset a tunnel that is not there -- and you can't delete any IKE/IPsec SAs that are not there. 

Thanks!!

0 Kudos
3 Replies
the_rock
Champion
Champion

Well, if tunnel is not initiating, doing a reset wont do anything. You can rung below debug and review ike.elg file

from gw expert mode ->

vpn debug trunc

vpn debug ikeon

generate traffic

vpn debug ikeoff

Check $FWDIR/log dir for ike.elg and vpnd* files

Andy

0 Kudos
T_L
Contributor

We run those with all standard IPSec tunnel troubleshooting.  When we view the files we can see that our side is sending the phase 1 traffic - and that data corresponds to the packet captures that we run concurrently.

 

 

0 Kudos
Vladimir
Champion
Champion

Imho, the concept of initiator should not really apply when we are talking about ability to establish tunnel.

The de facto initiator is another matter, as it should be the client side.

In terms of what you can see in the logs before the tunnel is established, I'd look for any traffic between public IPs of your gateway and that of interoperable device. It may help to increase the granularity of logs to milliseconds (there is an sk for that).

If the first connection is an inbound one, it is them that initiate the traffic, if it is outbound, it's you.

 

0 Kudos