IPsec related diagnose command

This document provides IPsec related diagnose commands.

1. Daemon IKE summary information list: diagnose vpn ike status

connection: 2/50

IKE SA: created 2/51 established 2/9 times 0/13/40 ms

IPsec SA: created 1/13 established 1/7 times 0/8/30 ms

2. IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0 name: tofgtc version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 172.16.200.3:500

created: 4313s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 0/0

id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator

status: established 4313-4313s ago = 10ms proposal: aes128-sha256

key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786

DPD sent/recv: 00000000/00000000

vd: root/0 name: to_HQ version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator

status: established 1013-1013s ago = 0ms proposal: aes128-sha256

key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010

3. IPsec phase2 tunnel status: diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev

proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-

name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42900/43200

dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a

enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe

dec:pkts/bytes=1/84, enc:pkts/bytes=4/608

npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

4. Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)
null             : 0	1.
des              : 0	1.
3des             : 0	1.
aes              : 0	1.
aes-gcm          : 0	1.
aria             : 0	1.
seed             : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null             : 0	1.
md5              : 0	1.
sha1             : 0	1.
sha256           : 0	1.
sha384           : 0	1.
sha512           : 0	1.

NP6_1:

Encryption (encrypted/decrypted)
null             : 0	1.
des              : 0	1.
3des             : 0	1.
aes              : 337152	46069
aes-gcm          : 0	1.
aria             : 0	1.
seed             : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null             : 0	1.
md5              : 0	1.
sha1             : 337152	46069
sha256           : 0	1.
sha384           : 0	1.
sha512           : 0 NPU Host Offloading: Encryption (encrypted/decrypted)	1.
null             : 0	1.
des              : 0	1.
3des             : 0	1.
aes              : 38	1.
aes-gcm          : 0	1.
aria             : 0	1.
seed             : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null             : 0	1.
md5              : 0	1.
sha1             : 38	1.
sha256           : 0	1.
sha384           : 0	1.
sha512           : 0 CP8: Encryption (encrypted/decrypted)	1.
null             : 0	1.
des              : 0	1.
3des             : 1337	1582
aes              : 71	11426
aes-gcm          : 0	1.
aria             : 0	1.
seed             : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null             : 0	1.
md5              : 48	28
sha1             : 1360	12980
sha256           : 0	1.
sha384           : 0	1.
sha512           : 0	1.

SOFTWARE:

Encryption (encrypted/decrypted)

null             : 0	1.
des              : 0	1.
3des             : 0	1.
aes              : 0	1.
aes-gcm          : 0	1.
aria             : 0	1.
seed             : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null             : 0	1.
md5              : 0	1.
sha1             : 0	1.
sha256           : 0	1.
sha384           : 0	1.
sha512           : 0	1.

5. diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1

# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000

ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated

ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY

ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101:      type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101:      type=OAKLEY_HASH_ALG, val=SHA2_256.

ike 0:to_HQ:101:    type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.

ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected

ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key

16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK

ike 0:to_HQ:101: add INITIAL-CONTACT

ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS

ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC

ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response

28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’

ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection

# ike 0:to_HQ:to_HQ: config found

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-

>0:0.0.0.0/0.0.0.0:0:0

ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:

ike 0:to_HQ:101:to_HQ:259:	protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259:	PFS DH group = 14
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: incoming proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1: ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP: ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14 ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128) ike 0:to_HQ:101:to_HQ:259:     encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:to_HQ:101:to_HQ:259:        type = AUTH_ALG, val=SHA1 ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101:to_HQ:259: replay protection enabled ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902. ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200. ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1 ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key

16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap

ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01

Understanding VPN related logs

This document provides some IPsec log samples:

IPsec phase1 negotiating

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/0000000000000000″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase1 negotiated

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/1230131a28eb4e73″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=2 role=”initiator” result=”DONE”

 

IPsec phase1 tunnel up

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunnelup” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910918 tunneltype=”ipsec” duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 IPsec phase2 negotiate

logid=”0101037129″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”Progress IPsec phase 2″ msg=”progress IPsec phase 2″ action=”negotiate” remip=11.101.1.1

locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” status=”success” init=”local” mode=”quick” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase2 tunnel up

logid=”0101037139″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec phase 2 status changed” msg=”IPsec phase 2 status change” action=”phase2-up” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

phase2_name=”to_HQ” IPsec phase2 sa install

logid=”0101037133″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec SA installed” msg=”install IPsec SA” action=”install_sa” remip=11.101.1.1 locipp=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ userr=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” role=”initiator” in_spi=”ca646448″ out_spi=”747c10c6″ IPsec tunnel statistics

logid=”0101037141″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544131118 logdesc=”IPsec tunnel statistics” msg=”IPsec tunnel statistics” action=”tunnel-stats” remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf=”mgmt1″ cookies=”3539884dbd8f3567/c32e4c1beca91b36″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”L2tpoIPsec_ 0″ tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype=”ipsec” duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60 IPsec phase2 tunnel down

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunneldown” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910786 tunneltype=”ipsec” duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0 IPsec phase1 sa deleted

logid=”0101037134″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec phase 1 SA deleted” msg=”delete IPsec phase 1 SA” action=”delete_phase1_sa” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

IPsec VPN authenticating a remote FortiGate peer with a certificate

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

1. Import the certificate. 2. Configure user peers.
2. Configure the HQ1 FortiGate:
3. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
4. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1.
5. For Authentication Method, select Signature.
6. In the Certificate name field, select the imported certificate.
7. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

• Click Next.

1. Configure the following settings for Policy & Routing:
2. From the Local Interface dropdown menu, select the proper local interface.
3. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
4. Click Create.
5. Configure the HQ2 FortiGate:
6. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
7. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
   173. For Authentication Method, select Signature.
   174. In the Certificate name field, select the imported certificate.
   175. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

• Click Next.

1. Configure the following settings for Policy & Routing:
   1. From the Local Interface dropdown menu, select the proper local interface.
   2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1

 

gateway 172.16.200.3 device “port1”

next

end

1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step:
4. Configure HQ1:

config vpn certificate local edit “test1” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next end

1. Configure HQ2:

config vpn certificate local edit “test2” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next

end

4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
   1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following: Configure HQ1:

config user peer edit “peer1” set ca “CA_Cert_1”

next

end

1. Configure HQ2:

config user peer edit “peer2” set ca “CA_Cert_1”

next

end

1. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA:
   1. Configure HQ1:

config user peer edit “peer1” set ca “Fortinet_CA”

next

end

1. Configure HQ2:

config user peer edit “peer2” set ca “Fortinet_CA”

next

end

5. Configure the IPsec phase1-interface:
   1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set authmethod signature net-device enable

proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 172.16.202.1 set certificate “test1” set peer “peer1”

next

end

1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set authmethod signature set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate “test2” set peer “peer2”

next

end

6. Configure the IPsec phase2-interface:
   1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
9. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” srcintf “port9” dstintf “to_HQ1”

set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

9. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:

ike 0: to_HQ2:15314: certificate validation failed

The following commands are useful to check IPsec phase1/phase2 interface status.

1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

peer-id-auth: yes

IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms

id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-

43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c

ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece

ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

1. Configure the HQ1 FortiGate:
2. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
3. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1. iv. For Authentication Method, select Pre-shared Key.
4. In the Pre-shared Key field, enter sample as the key.
5. Click Next.
6. Configure the following settings for Policy & Routing:
7. From the Local Interface dropdown menu, select the proper local interface.
8. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
9. Click Create.
10. Configure the HQ2 FortiGate:
11. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
12. Configure the following settings for Authentication:
    172. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
    173. For Authentication Method, select Pre-shared Key.
    174. In the Pre-shared Key field, enter sample as the key.
    175. Click Next.
13. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next end

1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

3. Configure the IPsec phase1-interface:
   1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

next

end

1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample

next

end

4. Configure the IPsec phase2-interface:
   1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

5. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

6. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel: a. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “to_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

7. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug output:

ike 0:to_HQ2:15037: parse error ike 0:to_HQ2:15037: probable pre-shared secret mismatch’

The following commands are useful to check IPsec phase1/phase2 interface status.

1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 5s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 2/2 established 2/2 time 0/0/0 ms id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status: established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-7bb9ee241362ee8d lifetime/rekey: 86400/86124

DPD sent/recv: 00000000/00000000

1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=11 ilast=7 olast=87 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7 ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

OCVPN troubleshooting

This document includes troubleshooting steps for the following OCVPN network topologies:

• Full mesh. l Hub-spoke with ADVPN shortcut. l Hub-spoke with inter-overlay source NAT.

For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.

Full mesh network topology troubleshooting

• Branch_1 # diagnose vpn ocvpn status

Current State	: Registered
Topology	: Full-Mesh
Role	: Spoke
Server Status	: Up
Registration time	: Thu Feb 28 18:42:25 2019
Update time	: Thu Feb 28 15:57:18 2019
Poll time	: Fri Mar 1 15:02:28 2019

• Branch_1 # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 3

Max-free :: 3

• Branch_1 # diagnose vpn ocvpn show-overlays

QA

PM l Branch_1 # diagnose vpn ocvpn show-members

Member: { “SN”: “FG100D3G15801621”, “IPv4”: “172.16.200.1”, “port”: “500”, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “FortiGate-100D”, “topology_role”: “spoke” }

Member: { “SN”: “FG900D3915800083”, “IPv4”: “172.16.200.4”, “port”: “500”, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch3”, “topology_role”: “spoke” }

Member: { “SN”: “FGT51E3U16001314”, “IPv4”: “172.16.200.199”, “port”: “500”, “slot”: 1002, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch2”, “topology_role”: “spoke” } l Branch_1 # dagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0 stat: rxp=0 txp=7 rxb=0 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105

enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0 ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214

dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064

proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:172.16.101.0-172.16.101.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1 ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192

enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999 ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-3.2 ver=2 serial=3 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=6 olast=6 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.2 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:192.168.5.0-192.168.5.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28 ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b

enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764 ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-3.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.2 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.2 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:172.16.102.0-172.16.102.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42905/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42927/43200

dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44 ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb

enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

• Branch_1 # get router info routing-table all

Routing table for VRF=0 Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
	O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default
S*	0.0.0.0/0 [10/0] via 172.16.200.254, port1
C	10.1.100.0/24 is directly connected, dmz
C	10.2.100.0/24 is directly connected, loop
C	11.101.1.0/24 is directly connected, wan1
C	11.102.1.0/24 is directly connected, wan2

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-4.1

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-4.2

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-3.1

Hub-Spoke OCVPN with inter-overlay source NAT

This topic provides a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on Spokes and assign-ip enabled on Hub, you can have interoverlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays’ subnets when the overlay option assign-ip is enabled.

To enable ‘NAT’, disable ‘auto-discovery’ first.

License

• Free license: Hub-spoke network topology not supported.
• Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGate devices must be running FortiOS version 6.2.0 or later. l All FortiGate devices must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

• Primary-hub l Secondary-hub l Spoke (OCVPN default role)

Sample network topology

Sample configuration

You can only configure this feature by using the CLI.

To enable inter-overlay source NAT from CLI:

1. Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” set assign-ip enable set ipv4-start-ip 172.16.101.100 set ipv4-end-ip 172.16.101.200 config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” set assign-ip enable config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

2. Configure the Secondary-Hub:

config vpn ocvpn set status enable set role secondary-hub

end

3. Configure Spoke1, and enable NAT on the spoke:

config vpn ocvpn set status enable set auto-discovery disable set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

4. Configure Spoke2, and enable NAT enabled on the spoke:

config vpn ocvpn set status enable set auto-discovery disable

set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end

A firewall policy with NAT is generated on the spoke:

edit 9 set name “_OCVPN2-1.1_nat” set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666

set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all” set dstaddr “_OCVPN2-1.1_remote_networks”

set action accept set schedule “always” set service “ALL” set comments “Generated by OCVPN Cloud Service.” set nat enable

next

Hub-spoke OCVPN with ADVPN shortcut

This topic provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members’ information. To form a hubspoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.

License

• Free license: Hub-spoke network topology not supported.
• Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGates are on FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM doesn’t support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

• Primary hub l Secondary hub l Spoke (OCVPN default role)

Sample topology

Sample Configuration

The steps below use the following overlays and subnets for the sample configuration:

• Primary hub:
• Overlay name: QA. Local subnets: 16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 l Secondary hub: l Overlays are synced from primary hub. l Spoke1:
• Overlay name: QA. Local subnets: 1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
• Spoke2:
• Overlay name: QA. Local interfaces lan1 l Overlay name: PM. Local interfaces lan2

Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

1. Go to System > Fortiguard > License Information > FortiCare Support.
2. Select either Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.

To enable hub-spoke OCVPN through the GUI:

1. Configure the OCVPN primary hub:
   1. Go to VPN > Overlay ControllerVPN.
   2. Enable Overlay ControllerVPN and select Primary Hub as the role.
   3. In the Overlays section, select Create New to create a network overlay.
   4. Enter a name and the subnets and/or internal interfaces, then select OK.
   5. Select Apply to commit the configuration.
2. Configure the OCVPN secondary hub:

Overlays are synced from the primary hub and cannot be defined in the secondary hub. a. Go to VPN > Overlay ControllerVPN.

1. Enable Overlay ControllerVPN and select Secondary Hub as the role.
2. Select Apply to commit the configuration.

3. Configure the OCVPN spokes:
   1. Go to VPN > Overlay ControllerVPN.
   2. Enable Overlay ControllerVPN and select Spoke as the role.
   3. In the Overlays section, select Create New to create a network overlay.
   4. Enter a name and the subnets and/or internal interfaces, then select OK.

The local subnet must be routable and the interface must have an IP address assigned, otherwise an error message appears.

1. Select Apply to commit the configuration.

To enable hub-spoke OCVPN through the CLI:

1. Configure the OCVPN primary hub:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

2. Configure the OCVPN secondary hub:

config vpn ocvpn set status enable set role secondary-hub

end

3. Configure the OCVPN spoke1:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

4. Configure the OCVPN spoke2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end

Full mesh OCVPN

This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).

OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by using the same FortiCare account.

If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is updated with Cloud assistance in self-learning mode. No intervention is required.

Full mesh IPsec tunnels are established between all FortiGates.

License

• Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay. l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGates must be running FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval	Used to define how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.
Role	Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.
Overlay		Used to define network overlays and bind to subnets.
Subnet		Internal network subnet (IPsec protected subnet). Traffic source from or destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.

Sample Topology

The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

• Branch1:
• Overlay name: QA. Local subnets: 10.1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
• Branch2:
• Overlay name: QA. Local interfaces: lan1 l Overlay name: PM. Local interfaces: lan2
• Branch3:
• Overlay name: QA. Local subnets: 172.16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

1. Go to System > Fortiguard > License Information > FortiCare Support.
2. Select Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.

To enable OCVPN using the GUI:

1. Go to VPN > Overlay ControllerVPN.
2. Create the first overlay by setting the following options and clicking OK:
   1. Beside Status, click Enabled.
   2. Beside Role, click Spoke.
   3. In the Overlays section, click Create New to create a network overlay.
   4. In the Name box, type a name, and input the subnets and/or choose internal interfaces.

The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error message displays.

3. Repeat this procedure until you create all the needed overlays.

To enable OCVPN using the CLI:

1. Ensure all FortiGates are registered on FortiCare.
2. Configure Branch1:

config vpn ocvpn set status enable config overlays

edit 1

set name “QA” config subnets

edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2

set name “PM” config subnets

edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next end end

3. Configure Branch2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set type interface set interface “lan1”

next

end

next edit 2 set name “PM” config subnets edit 1 set type interface set interface “lan2”

next

end

next

end

end

4. Configure Branch3:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 1 set name “OM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end