Open another SSH connection to the FW CLI. You either have to conference in somebody with access to help you, or use this nifty trick. Now, the problem I've always run up against is getting the tunnel to trigger to open up with traffic running on the link. fgt300C-fw (root) # diagnose debug application ike -1 IKE/Phase2 debugging is where the problem almost always is. To enable debugging output fgt300C-fw (root) # diagnose debug enable To enable debug logging on the console (should be default) do fgt300C-fw (root) # diagnose debug console fgt300C-fw # config vdomĪs the diag commands are only available in the individual VDOMs or from the root VDOM for the system admin. (like in this case), you may have to switch into the root VDOM if youĪre the system admin of the firewall as opposed to a VDOM admin. You don't have to match the set of them exactly, each side just needs a common one to talk.Īfter that all checks out, we need to see what IKE is doing that is failing. Now-a-days, AES256/SHA1 is probably supported across the board, and that is all I ever use. In practice, just pick one that your base client supports and go from there. The reason for the set is to offer many choices. If this a static config, you should use Main mode for Phase1, which is a bit more secure on the initial handshake.įor Phase2, are both sides setup to use PFS? Replay Detection? Dead-peer detection? While most VPN setups include a set of encryption and hash algorithms, you only need one that are the same. In general, if you are supporting a dynamic IP client end, you will have to use Aggressive mode Phase1, so make sure that mode is set for dynamic clients. The first trouble shooting step is to verify your parameters are all correct and matching.įor Phase1, is the end gateway dynamic or static? Fortigate to Fortigate can use both Main and Aggressive modes for dynamic connections, but many other brands can not. Then IKE takes over in Phase2 to negotiate the shared key with periodic key rotation as well as dealing with NAT-T (NAT tunnelling), and all the other "higher-end" parameters. Phase1 is the basic setup and getting the two ends talking. In IKE/IPSec, there are two phases to establish the tunnel. Here are some basic steps to troubleshoot VPNs for FortiGate. I'll show you a method that can be used to initiate traffic from that network as well. The network admin typically doesn't have direct access on the computers on either side of the VPN in order to initiate that traffic. One problem in particular that has always bugged me is that you need access to the end machines involved to initiate traffic across the link. Most of the real debugging happens inside the CLI. The GUI offers not much help, it is either UP or Down. The IKE protocol is "chatty", and negotiates back and forth between the two ends for several rounds. Debugging what is going wrong with a VPN setup is difficult.
0 Comments
Leave a Reply. |