Re: R77.30 Ipsec VPN Issue

ashish_verma · ‎2019-12-04

Hello Mates,

I am facing this issue with IPSec VPN configured with client end Fortigate firewall. The issue is the phase1 comes up only when I initiate (ping) some traffic to the peer end IP. Even when the user connected to Checkpoint initiating the flow the gateway is not negotiating for either phase1 and/or phase2.

When client forcefully bring phase2 up (in fortigate under vpn monitor section) the phase2 also came up. But even after that the client traffic is getting dropped because of clean up rule even though an existing rule is there for this flow above clean up rule. It seems that rule is invisible for the gateway.

Also, after sometime the tunnel went down.

So to sum up:

1) Gateways not initiating Ipsec negotiation. Only after explicitly initiating the negotiation tunnel comes up.

2) Even when the tunnel is up, the traffic is getting drop by final clean up rule instead of allow rule which is above clean up rule.

Please help on this issue. Thanks.

G_W_Albrecht · ‎2019-12-04

Basic troubleshooting guide for such issues is sk108600: VPN Site-to-Site with 3rd party

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Gaurav_Pandya · ‎2019-12-04

Hi Ashish,

You can do basic troubleshooting for VPN and at last you can run debug and check ike.elg file.

Are you generating ICMP traffic while testing tunnel? If so then please check setting "Accept ICMP Request" in general setting. It should be "before last".

ashish_verma · ‎2019-12-04

Hello Gaurav and G_W_Albrecht

Thanks for your reply. I will check the SK but what I found in ike.elg file is that after Phase2 message1, the cookies value are changed (Both init and responder) in message received by the responder as shown in "info" field in ike.elg file.

Are you a member of CheckMates?

R77.30 Ipsec VPN traffic hitting Clean up rule instead of accept rule