Debugging Fortigate VPNs

Posted on March 22, 2012

In the following post I will do some “research” on VPN debugs in Fortigate. It may usefull for those who has basic Foritgate VPN problems or the peer Fortigate has a Problem. Debugging should be usefull for troubleshooting, but should not only be used for troubleshooting. It should be used to understand and see how things really work.

If something wrong it may be too late to understand how things worked before.

Fortigate Firewall1 Configuration:

for the first firewall, that is called firewall1, the really basic configuration will be shown. It is a simple vpn with pre-shared key. The following configurations will be used:

– Interface
– VPN Settings
– Firewall Policy
– Route

firewall1 # show system interface
config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.10.1 255.255.255.240
        set allowaccess ping https
        set type physical
    next
    edit "wan2"
        set vdom "root"
        set allowaccess ping
        set type physical
    next
    edit "wan1"
        set vdom "root"
        set ip 6.6.6.2 255.255.255.0
        set allowaccess ping https ssh
        set type physical
    next
    edit "modem"
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
    next
    edit "firewall2"
        set vdom "root"
        set type tunnel
        set interface "wan1"
    next
end

firewall1 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "firewall2"
        set interface "wan1"
        set dpd enable
        set nattraversal enable
        set proposal aes128-sha1 aes128-md5
        set remote-gw 3.3.3.1
        set psksecret ENC ECcAADE...
    next
end

firewall1 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "firewall2-ph2"
        set pfs enable
        set phase1name "firewall2"
        set proposal aes192-sha1 aes192-md5
        set replay enable
        set src-subnet 192.168.10.0 255.255.255.240
    next
end

firewall1 # show firewall policy
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "firewall2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

firewall1 # show router static
config router static
    edit 1
        set device "wan1"
        set dst 6.0.0.0 255.0.0.0
        set gateway 6.6.6.1
    next
    edit 2
        set device "firewall2"
        set distance 5
    next
    edit 3
        set device "wan1"
        set dst 3.3.3.1 255.255.255.255
        set gateway 6.6.6.1
    next
end

Fortigate Firewall2 only VPN Configuration:

For the GUI fans, but only the VPN configuration

Manually initiate the IPSEC tunnel:

Normally it should be started automatically, but we can start it manually:

diag vpn tunnel up firewall2-ph2 firewall2

Debug commands:

diagnose debug console timestamp enable
diagnose debug enable
diagnose debug application ike -1

To stop it issue the following command:

diagnose debug application ike 0
diagnose debug disable

DPD Detection debug:

Dead peer detection checks continuously if the peer is reachable, it send a so called ARE-YOU-THERE packets and if the peer supports it it send back an ACKnowledge Packet.
We can see a sequence number in the debug for DPD.

2012-03-21 23:55:48 0:firewall2: link is idle 5 6.6.6.2->3.3.3.1:500 dpd=2 seqno=140c

2012-03-21 23:55:48 0:firewall2: send DPD probe, seqno 5132
2012-03-21 23:55:48 0:firewall2:256: sent IKE msg (R-U-THERE): 6.6.6.2:500->3.3.3.1:500, len=92
2012-03-21 23:55:48 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-21 23:55:48 0: exchange=Informational id=161bed44960a86d3/30fb218d646769fa:9ef2e05e len=92
2012-03-21 23:55:48 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-21 23:55:48 0:firewall2:256: notify msg received: R-U-THERE-ACK

2012-03-21 23:55:53 0:firewall2: link is idle 5 6.6.6.2->3.3.3.1:500 dpd=2 seqno=140d

2012-03-21 23:55:53 0:firewall2: send DPD probe, seqno 5133
2012-03-21 23:55:53 0:firewall2:256: sent IKE msg (R-U-THERE): 6.6.6.2:500->3.3.3.1:500, len=92
2012-03-21 23:55:53 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-21 23:55:53 0: exchange=Informational id=161bed44960a86d3/30fb218d646769fa:fcb630e9 len=92
2012-03-21 23:55:53 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-21 23:55:53 0:firewall2:256: notify msg received: R-U-THERE-ACK

VPN disconnect debug – initiated from peer:

The disconnect was initiated from the other peer.

2012-03-22 00:13:09 0:firewall2:256: recv IPsec SA delete, spi count 1
2012-03-22 00:13:09 0:firewall2: deleting SA with SPI 2a08e9b4
2012-03-22 00:13:09 0:firewall2: deleted SA with SPI 2a08e9b4, firewall2-ph2 has 0 SAs left
2012-03-22 00:13:09 0:firewall2: sending SNMP tunnel DOWN trap for firewall2-ph2
2012-03-22 00:13:09 0:firewall2: found phase2 firewall2-ph2
2012-03-22 00:13:09 0:firewall2:256: send IPsec SA delete, spi 69c76327
2012-03-22 00:13:09 0:firewall2:256: sent IKE msg (IPsec SA_DELETE-NOTIFY): 6.6.6.2:500->3.3.3.1:500, len=76
2012-03-22 00:13:09 0:firewall2:256: recv ISAKMP SA delete 161bed44960a86d3/30fb218d646769fa
2012-03-22 00:13:09 0:firewall2: deleting
2012-03-22 00:13:09 0:firewall2: flushing
2012-03-22 00:13:09 0:firewall2: flushed
2012-03-22 00:13:09 0:firewall2: deleted

VPN Initiation timesout debug, VPN peer does not reply:

DPD is still active, the other peer does not reply to vpn session creation.

2012-03-22 00:30:43 0:firewall2: created DPD triggered connection: 0x8c1f8e8 5 6.6.6.2->3.3.3.1:500.
2012-03-22 00:30:43 0:firewall2: new connection.
2012-03-22 00:30:43 0:firewall2:327: initiator: main mode is sending 1st message...
2012-03-22 00:30:43 0:firewall2:327: cookie 590262b9951dc2b8/0000000000000000
2012-03-22 00:30:43 0:firewall2:327: sent IKE msg (ident_i1send): 6.6.6.2:500->3.3.3.1:500, len=360
2012-03-22 00:30:43 firewall2: Initiator: sent 3.3.3.1 main mode message #1 (OK)
2012-03-22 00:30:45 0:firewall2:327: sent IKE msg (P1_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=360
2012-03-22 00:30:48 0:firewall2: link fail 5 6.6.6.2->3.3.3.1:500 dpd=2
2012-03-22 00:30:48 0:firewall2: ignore link fail, too old
2012-03-22 00:30:49 0:firewall2:327: sent IKE msg (P1_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=360
2012-03-22 00:30:53 0:firewall2: link fail 5 6.6.6.2->3.3.3.1:500 dpd=2
2012-03-22 00:30:53 0:firewall2: ignore link fail, too old
2012-03-22 00:30:57 0:firewall2:327: sent IKE msg (P1_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=360
2012-03-22 00:30:58 0:firewall2: link fail 5 6.6.6.2->3.3.3.1:500 dpd=2
2012-03-22 00:30:58 0:firewall2: DPD fail 5 6.6.6.2->3.3.3.1:500 send failure, resetting ...
2012-03-22 00:30:58 0:firewall2: deleting
2012-03-22 00:30:58 0:firewall2: flushing
2012-03-22 00:30:58 0:firewall2: flushed
2012-03-22 00:30:58 0:firewall2: deleted

VPN session creation debug:

What you can see in debug, what the peers discuss in the background:

– DPD detection
– NAT Travelsal ist activated, but NAT is not detected.
– Encryption method (Which AES is not clear from debug.)
– Authentication method is Pre-shared key.
– SA lifetimes
– Authentication succeeded
– Encryption domain from initiator and from responder (This must match)

2012-03-22 12:24:33 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:24:33 0:firewall2:2: initiator: main mode get 1st response...
2012-03-22 12:24:33 0:firewall2:2: VID RFC 3947
2012-03-22 12:24:33 0:firewall2:2: VID DPD
2012-03-22 12:24:33 0:firewall2:2: DPD negotiated
2012-03-22 12:24:33 0:firewall2:2: selected NAT-T version: RFC 3947
2012-03-22 12:24:33 0:firewall2:2: negotiation result
2012-03-22 12:24:33 0:firewall2:2: proposal id = 1:
2012-03-22 12:24:33 0:firewall2:2:   protocol id = ISAKMP:
2012-03-22 12:24:33 0:firewall2:2:      trans_id = KEY_IKE.
2012-03-22 12:24:33 0:firewall2:2:      encapsulation = IKE/none
2012-03-22 12:24:33 0:firewall2:2:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2012-03-22 12:24:33 0:firewall2:2:         type=OAKLEY_HASH_ALG, val=SHA.
2012-03-22 12:24:33 0:firewall2:2:         type=AUTH_METHOD, val=PRESHARED_KEY.
2012-03-22 12:24:33 0:firewall2:2:         type=OAKLEY_GROUP, val=1536.
2012-03-22 12:24:33 0:firewall2:2: ISKAMP SA lifetime=28800
2012-03-22 12:24:34 0:firewall2:2: sent IKE msg (ident_i2send): 6.6.6.2:500->3.3.3.1:500, len=292
2012-03-22 12:24:34 firewall2: Initiator: sent 3.3.3.1 main mode message #2 (OK)
2012-03-22 12:24:34 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:24:34 0: exchange=Identity Protection id=a2d17a9502e75b2d/d0808883f3ffc95c len=292
2012-03-22 12:24:34 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:24:34 0:firewall2:2: initiator: main mode get 2nd response...
2012-03-22 12:24:34 0:firewall2:2: NAT not detected
2012-03-22 12:24:34 0:firewall2:2: add initial-contact
2012-03-22 12:24:34 0:firewall2:2: sent IKE msg (ident_i3send): 6.6.6.2:500->3.3.3.1:500, len=108
2012-03-22 12:24:34 firewall2: Initiator: sent 3.3.3.1 main mode message #3 (OK)
2012-03-22 12:24:34 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:24:34 0: exchange=Identity Protection id=a2d17a9502e75b2d/d0808883f3ffc95c len=76
2012-03-22 12:24:34 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:24:34 0:firewall2:2: initiator: main mode get 3rd response...
2012-03-22 12:24:34 0:firewall2:2: PSK authentication succeeded
2012-03-22 12:24:34 0:firewall2:2: authentication OK
2012-03-22 12:24:34 firewall2: Initiator: parsed 3.3.3.1 main mode message #3 (DONE)
2012-03-22 12:24:34 0:firewall2:2: ISAKMP SA established
2012-03-22 12:24:34 0:firewall2:2: no pending Quick-Mode negotiations
2012-03-22 12:24:34
2012-03-22 12:24:35 0:firewall2:firewall2-ph2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500, natt_mode=0
2012-03-22 12:24:35 0:firewall2: using existing connection, dpd_fail=0
2012-03-22 12:24:35 0:firewall2: found phase2 firewall2-ph2
2012-03-22 12:24:35 0:firewall2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500 negotiating
2012-03-22 12:24:35 0:firewall2:2: cookie a2d17a9502e75b2d/d0808883f3ffc95c:b3cc0a48
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: initiator selectors 0 192.168.10.0/255.255.255.240:0->0.0.0.0/0.0.0.0:0
2012-03-22 12:24:36 0:firewall2:2: sent IKE msg (quick_i1send): 6.6.6.2:500->3.3.3.1:500, len=396
2012-03-22 12:24:36 firewall2: Initiator: sent 3.3.3.1 quick mode message #1 (OK)
2012-03-22 12:24:36 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:24:36 0: exchange=Quick id=a2d17a9502e75b2d/d0808883f3ffc95c:b3cc0a48 len=364
2012-03-22 12:24:36 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: responder selectors 0 192.168.10.0/255.255.255.240:0->0.0.0.0/0.0.0.0:0
2012-03-22 12:24:36 0:firewall2:2: sent IKE msg (quick_i2send): 6.6.6.2:500->3.3.3.1:500, len=60
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: replay protection enabled
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: set sa life soft seconds=1748.
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: set sa life hard seconds=1800.
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: add SA #src=1 #dst=1
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: src 0 4 192.168.10.0/255.255.255.240
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: dst 0 4 0.0.0.0/0.0.0.0
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: installed SA: SPIs=a88bfa10/2a08ea33
2012-03-22 12:24:36 0:firewall2:2:firewall2-ph2:1: sending SNMP tunnel UP trap
2012-03-22 12:24:36 firewall2: Initiator: sent 3.3.3.1 quick mode message #2 (DONE)

VPN session creation debug (with quick mode):

2012-03-22 02:52:39 0: exchange=Quick id=62edcb0e075bcda4/136dc3418fe9f51e:f282fc5d len=396
2012-03-22 02:52:39 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 02:52:39 0:firewall2:361::7146: responder received first quick-mode message
2012-03-22 02:52:39 0:firewall2:361:7146: peer proposal is: peer:0.0.0.0-255.255.255.255, me:192.168.10.0-192.168.10.15, ports=0/0, protocol=0/0
2012-03-22 02:52:39 0:firewall2:361:7146: trying firewall2-ph2
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: matched phase2
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: autokey
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: negotiation result
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: proposal id = 1:
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146:   protocol id = IPSEC_ESP:
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146:      trans_id = ESP_AES (key_len = 192)
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146:      encapsulation = ENCAPSULATION_MODE_TUNNEL
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146:         type = AUTH_ALG, val=SHA1
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: set pfs=1536
2012-03-22 02:52:39 0:firewall2:361:firewall2-ph2:7146: using tunnel mode.
2012-03-22 02:52:40 0:firewall2:361: sent IKE msg (quick_r1send): 6.6.6.2:500->3.3.3.1:500, len=364
2012-03-22 02:52:40 firewall2: Responder: sent 3.3.3.1 quick mode message #1 (OK)
2012-03-22 02:52:40 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 02:52:40 0: exchange=Quick id=62edcb0e075bcda4/136dc3418fe9f51e:f282fc5d len=60
2012-03-22 02:52:40 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: replay protection enabled
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: set sa life soft seconds=1753.
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: set sa life hard seconds=1800.
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: add SA #src=1 #dst=1
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: src 0 7 192.168.10.0-192.168.10.15
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: dst 0 7 0.0.0.0-255.255.255.255
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: installed SA: SPIs=69c7632c/2a08ea1b
2012-03-22 02:52:40 0:firewall2:361:firewall2-ph2:7146: sending SNMP tunnel UP trap
2012-03-22 02:52:40 firewall2: Responder: parsed 3.3.3.1 quick mode message #2 (DONE)

VPN session creation debug (wrong selectors):

The encryption domains or Quick mode selectors do not match between the peers.

This debug is from the initiator:

2012-03-22 12:30:31 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:30:31 0:firewall2:2: initiator: main mode get 1st response...
2012-03-22 12:30:31 0:firewall2:2: VID RFC 3947
2012-03-22 12:30:31 0:firewall2:2: VID DPD
2012-03-22 12:30:31 0:firewall2:2: DPD negotiated
2012-03-22 12:30:31 0:firewall2:2: selected NAT-T version: RFC 3947
2012-03-22 12:30:31 0:firewall2:2: negotiation result
2012-03-22 12:30:31 0:firewall2:2: proposal id = 1:
2012-03-22 12:30:31 0:firewall2:2:   protocol id = ISAKMP:
2012-03-22 12:30:31 0:firewall2:2:      trans_id = KEY_IKE.
2012-03-22 12:30:31 0:firewall2:2:      encapsulation = IKE/none
2012-03-22 12:30:31 0:firewall2:2:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2012-03-22 12:30:31 0:firewall2:2:         type=OAKLEY_HASH_ALG, val=SHA.
2012-03-22 12:30:31 0:firewall2:2:         type=AUTH_METHOD, val=PRESHARED_KEY.
2012-03-22 12:30:31 0:firewall2:2:         type=OAKLEY_GROUP, val=1536.
2012-03-22 12:30:31 0:firewall2:2: ISKAMP SA lifetime=28800
2012-03-22 12:30:31 0:firewall2:2: sent IKE msg (ident_i2send): 6.6.6.2:500->3.3.3.1:500, len=292
2012-03-22 12:30:31 firewall2: Initiator: sent 3.3.3.1 main mode message #2 (OK)
2012-03-22 12:30:32 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:30:32 0: exchange=Identity Protection id=e83ab30342b29b82/8e584f50fc268376 len=292
2012-03-22 12:30:32 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:30:32 0:firewall2:2: initiator: main mode get 2nd response...
2012-03-22 12:30:32 0:firewall2:2: NAT not detected
2012-03-22 12:30:32 0:firewall2:2: add initial-contact
2012-03-22 12:30:32 0:firewall2:2: sent IKE msg (ident_i3send): 6.6.6.2:500->3.3.3.1:500, len=108
2012-03-22 12:30:32 firewall2: Initiator: sent 3.3.3.1 main mode message #3 (OK)
2012-03-22 12:30:32 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:30:32 0: exchange=Identity Protection id=e83ab30342b29b82/8e584f50fc268376 len=76
2012-03-22 12:30:32 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:30:32 0:firewall2:2: initiator: main mode get 3rd response...
2012-03-22 12:30:32 0:firewall2:2: PSK authentication succeeded
2012-03-22 12:30:32 0:firewall2:2: authentication OK
2012-03-22 12:30:32 firewall2: Initiator: parsed 3.3.3.1 main mode message #3 (DONE)
2012-03-22 12:30:32 0:firewall2:2: ISAKMP SA established
2012-03-22 12:30:32 0:firewall2:2: no pending Quick-Mode negotiations
2012-03-22 12:30:32
2012-03-22 12:30:32 0:firewall2:firewall2-ph2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500, natt_mode=0
2012-03-22 12:30:32 0:firewall2: using existing connection, dpd_fail=0
2012-03-22 12:30:32 0:firewall2: found phase2 firewall2-ph2
2012-03-22 12:30:32 0:firewall2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500 negotiating
2012-03-22 12:30:32 0:firewall2:2: cookie e83ab30342b29b82/8e584f50fc268376:0bc0f9f4
2012-03-22 12:30:32 0:firewall2:2:firewall2-ph2:1: initiator selectors 0 192.168.10.0/255.255.255.240:0->0.0.0.0/0.0.0.0:0
2012-03-22 12:30:32 0:firewall2:2: sent IKE msg (quick_i1send): 6.6.6.2:500->3.3.3.1:500, len=396
2012-03-22 12:30:32 firewall2: Initiator: sent 3.3.3.1 quick mode message #1 (OK)
2012-03-22 12:30:33 0:firewall2:firewall2-ph2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500, natt_mode=0
2012-03-22 12:30:33 0:firewall2: using existing connection, dpd_fail=0
2012-03-22 12:30:33 0:firewall2: found phase2 firewall2-ph2
2012-03-22 12:30:33 0:firewall2:firewall2-ph2:1 ignoring duplicate quick-mode request
2012-03-22 12:30:34 0:firewall2:2: sent IKE msg (P2_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=396
2012-03-22 12:30:35 0:firewall2:firewall2-ph2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500, natt_mode=0
2012-03-22 12:30:35 0:firewall2: using existing connection, dpd_fail=0
2012-03-22 12:30:35 0:firewall2: found phase2 firewall2-ph2
2012-03-22 12:30:35 0:firewall2:firewall2-ph2:1 ignoring duplicate quick-mode request
2012-03-22 12:30:36 0:firewall2:firewall2-ph2: IPsec SA connect 5 6.6.6.2->3.3.3.1:500, natt_mode=0
2012-03-22 12:30:36 0:firewall2: using existing connection, dpd_fail=0
2012-03-22 12:30:36 0:firewall2: found phase2 firewall2-ph2
2012-03-22 12:30:36 0:firewall2:firewall2-ph2:1 ignoring duplicate quick-mode request

If we initiate on the other side, we can see the what the other peer has:

If we initiate on our side, we wont see what the other peer has. It is worth to test initialisation from the other side:

2012-03-22 12:37:24 0:firewall2:3::90: responder received first quick-mode message
2012-03-22 12:37:24 0:firewall2:3:90: peer proposal is: peer:0.0.0.0-255.255.255.255, me:192.168.11.0-192.168.11.15, ports=0/0, protocol=0/0
2012-03-22 12:37:24 0:firewall2:3:90: trying firewall2-ph2
2012-03-22 12:37:24 0:firewall2:3:90: specified selectors mismatch
firewall2: - remote: type=7/7, ports=0/0, protocol=0/0
2012-03-22 12:37:24 0:firewall2:3:90:    local=192.168.11.0-192.168.11.15, remote=0.0.0.0-255.255.255.255
2012-03-22 12:37:24 0:firewall2:3:90: - mine: type=7/7, ports=0/0, protocol=0/0
2012-03-22 12:37:24 0:firewall2:90:    local=192.168.10.0-192.168.10.15, remote=0.0.0.0-255.255.255.255
2012-03-22 12:37:24 0:firewall2:3:90: no matching phase2 found
2012-03-22 12:37:24 0:firewall2:3::90: failed to get responder proposal
2012-03-22 12:37:24 firewall2: Responder: parsed 3.3.3.1 quick mode message #1 (ERROR)
2012-03-22 12:37:24 0:firewall2:3: error processing quick-mode msg from 3.3.3.1 as responder

Wrong preshared key debug:

Not so talkative to identify pre-shared key problems, the logs are better in this case.

2012-03-22 12:45:51 0: exchange=Identity Protection id=f894aec7b60cd50d/dd68f0cd443b3ff2 len=108
2012-03-22 12:45:51 0:firewall2:22: responder: main mode get 3rd message...
2012-03-22 12:45:51 0:firewall2:22: parse error
2012-03-22 12:45:51 firewall2: Responder: pars2012-03-22 12:45:51 0:firewall2: link fail 5 6.6.6.2->3.3.3.1:500 dpd=2
2012-03-22012-03-22 12:45:51 0:firewall2:21: sent IKE msg (P1_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=292
2012-03-22 12:45:52 0:firewall2:22: sent IKE msg (P1_RETRANSMIT): 6.6.6.2:500->3.3.3.1:500, len=292
2012-03-22 12:45:52 0: comes 3.3.3.1:500->6.6.6.2:500,ifindex=5....
2012-03-22 12:45:52 0: exchange=Identity Protection id=f894aec7b60cd50d/dd68f0cd443b3ff2 len=108
2012-03-22 12:45:52 0: found firewall2 6.6.6.2 5 -> 3.3.3.1:500
2012-03-22 12:45:52 0:firewall2:22: responder: main mode get 3rd message...
2012-03-22 12:45:52 0:firewall2:22: parse error
2012-03-22 12:45:52 firewall2: Responder: parsed 3.3.3.1 main mode message #3 (ERROR)

Tagged: Fortigate, VPN debug

Posted in: Fortigate, Security, Troubleshooting

12 Responses “Debugging Fortigate VPNs” →

Richard

May 7, 2012

hi,
thanks for this fine compilation of commands.
regards,
Richard

Reply
Googs

July 13, 2012

Thanks, very handy

Reply
mccs

July 16, 2012

thx indeed

Reply
Sylvain

January 24, 2013

Thank you very much for this usefull commands and result compilation, that helped me to fix 2 VPNs.

Reply

itsecworks

January 24, 2013

Your welcome :-)

Reply

Leandro

February 15, 2013

I’m trying to set up a Client to Site VPN, but I have doubt on how do I have to set up the route for it. I’m doing a route-based VPN with DHCP on it, can you help me out?

Reply

itsecworks

February 15, 2013

ööö, for free no way :-) But I have a post on it, have you read that through?
Paste your config to pastebin.com and give me a link.

Reply

Leandro

February 18, 2013

Yes I read it, but I couldn’t find what it is missing, I suspect it is a route, because phase 1 completes but the tunnel doesn’t get up.
I’ve sent you my config on the last post.

Reply
Sam

April 13, 2013

For posterity… Error -104 means the name of your VPN tunnel is too long. The limit is 15 characters, and as it increments it dies.. ike 0:fClient_VPNlu_1: could not create dialup name fClient_VPNlu_10, too long

Took four TAC tech guys and three days to find the problem.

Reply
Ashish.Sawant

July 24, 2013

Hi , though we are using Nat-T , for ipsec vpn in Tunnel mode .
the issue is i am still able to find req on remote-gateway on uDP 500
as it should be on 4500 because Nat-t has been used .

due to this some-time VPN woks & some time not .

can you help in this to resolve the same .
X.X.X.X.500 -> X.X.X.X.500: udp 260

Reply
James

January 30, 2014

hi we are trying to use a root certificate on our vpn but we are not able to do so can you help

Reply

itsecworks

January 30, 2014

What do you mean with root certificate? Is it a certificate from your root ca?
You may have to create a certificate request with your firewall and let it signed by your root ca and import the signed certificate in your firewall.
That is the general way I have used already.
How could I help?

Reply

Debugging Fortigate VPNs

Leave a comment Cancel reply

Recent Posts

Archives

Categories

Meta

Debugging Fortigate VPNs

Share this:

Related

Leave a comment Cancel reply

Recent Posts

Archives

Categories

Meta