OCVPN troubleshooting

Leave a reply

Hub-spoke with inter-overlay source NAT troubleshooting

l Primary-Hub # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Primary-Hub

Server Status        : Up

Registration time    : Sat Mar 2 11:31:54 2019

Update time          : Sat Mar 2 13:57:05 2019

Poll time : Sat Mar 2 14:03:31 2019 l Spoke1 # dagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Spoke

Server Status        : Up

Registration time    : Sat Mar 2 13:58:01 2019

Poll time            : Sat Mar 2 14:04:22 2019

l Primary-Hub # diagnose vpn ocvpn show-members

Member: { “sn”: “FG900D3915800083”, “ip_v4”: “172.16.200.4”, “port”: 500, “slot”: 0, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “172.16.101.100-172.16.101.200” }, { “id”: 1, “name”: “PM”, “subnets”: [ “172.16.102.0\/255.255.255.0” ], “ip_range”: “172.16.102.100-172.16.102.200” } ], “name”:

“Primary-Hub”, “topology_role”: “primary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15828488”, “ip_v4”: “172.16.200.2”, “port”: 500, “slot”: 1, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Secondary-

Hub”, “topology_role”: “secondary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FGT51E3U16001314”, “ip_v4”: “172.16.200.3”, “port”: 500, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke2”, “topology_role”: “spoke” }

Member: { “sn”: “FG100D3G15801621”, “ip_v4”: “172.16.200.1”, “port”: 500, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke1”, “topology_role”: “spoke” } l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 4

Max-free :: 3 l Primary-Hub # diagnose vpn ocvpn show-overlays

QA

PM l Spoke1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=3 child_num=0 refcnt=13 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=29 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42299/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42899/43200

dec: spi=0484795d esp=aes key=16 10eeb76fadd49f00c333350d83509095 ah=sha1 key=20 971bde5dcfca7e52fd1573cb3489e9c855f6154e

enc: spi=dfcffaaa esp=aes key=16 d07a4dd683ee093af2dca9485aa436eb ah=sha1 key=20 65369be35d5ecad8cae63557318419cd6005c230

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.0_nat proto=0 sa=1 ref=2 serial=3 auto-negotiate

src: 0:172.16.101.101-172.16.101.101:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42303/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=04847961 esp=aes key=16 ea181036b02e8bc8711fb520b3e98a60

ah=sha1 key=20 b3c449d96d5d3f090975087a62447f6918ce7930

enc: spi=dfcffaac esp=aes key=16 f7ea5e42e9443698e6b8b32161ace40e ah=sha1 key=20 a7e36dd1ec0bdb6eff0aa66e442707427400c700

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.0_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=e 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=10 ilast=599 olast=599 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

proxyid=_OCVPN2-1.0_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=b 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=3 child_num=0 refcnt=13 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=29 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42297/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42897/43200

dec: spi=0484795e esp=aes key=16 106eaa95a2be64b566e7d1ca0aa88f6a ah=sha1 key=20 5dddfba7070b03d5a31931d41db06ff96e7bc542

enc: spi=dfcffaab esp=aes key=16 29c774dbd7e54464ee298c381e71a94e ah=sha1 key=20 c3da7372789c0a53b3752e69baaba1a42d798820

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.1_nat proto=0 sa=1 ref=2 serial=3 auto-negotiate

src: 0:172.16.102.101-172.16.102.101:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42307/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=04847962 esp=aes key=16 b7daa5807cfa86906592a012a9d2478f ah=sha1 key=20 39c8bb4c9e3f1e9e451f22c58a172ff01155055d

enc: spi=dfcffaad esp=aes key=16 2ecc644def4cebe6b0c4b7729da43d8e ah=sha1 key=20 469c6f319e83bd73468f55d430566afcd6215138

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.1_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ——————————————————

name=_OCVPN2-1.1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=10 ilast=599 olast=599 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

proxyid=_OCVPN2-1.1_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

l Spoke1 # get router info routing-table all

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.101.101/32 is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.0

C      172.16.102.101/32 is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-0.0

S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1 l Spoke1 # show firewall policy

…………………………

edit 9 set name “_OCVPN2-1.1_nat”

set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666

set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all”

set dstaddr “_OCVPN2-1.1_remote_networks”

set action accept set schedule “always” set service “ALL”

set comments “Generated by OCVPN Cloud Service.” set nat enable

next edit 12 set name “_OCVPN2-1.0_nat”

set uuid 3fafec98-3d36-51e9-80c0-5d99325bad83

set srcintf “any” set dstintf “_OCVPN2-1.0” set srcaddr “all”

set dstaddr “_OCVPN2-1.0_remote_networks”

set action accept set schedule “always” set service “ALL”

set comments “Generated by OCVPN Cloud Service.” set nat enable

next

……………………………

Pages: 1 2 3
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.