LT2P over IPsec

LT2P over IPsec

This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

The following shows the network topology for this example:

To configure LT2P over an IPsec tunnel using the CLI:

  1. Configure the WAN interface and static route on HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next end

  1. Configure IPsec phase1-interface and phase2-interface on HQ:

config vpn ipsec phase1-interface edit “L2tpoIPsec” set type dynamic set interface “port9” set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface edit “L2tpoIPsec” set phase1name “L2tpoIPsec”

set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable

set encapsulation transport-mode

set l2tp enable

next

end

  1. Configure a user and user group on HQ:

config user local edit “usera” set type password set passwd usera

next

end config user group edit “L2tpusergroup” set member “usera”

next

end

  1. Configure L2TP on HQ:

config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp “L2tpusergroup”

end

  1. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established:

config firewall address edit “L2TPclients” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100

next end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “Bridge_IPsec_port9_for_l2tp negotiation” set srcintf “L2tpoIPsec” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “L2TP”

next edit 2 set srcintf “L2tpoIPsec” set dstintf “port10” set srcaddr “L2TPclients” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg

parent=L2tpoIPsec index=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0

life: type=01 bytes=0/0 timeout=3585/3600

dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432

enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a

dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744

npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0

—-

name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg

parent=L2tpoIPsec index=1

proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0

life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32

ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec

enc: spi=0b514df2 esp=aes key=32

a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d

dec:pkts/bytes=5/245, enc:pkts/bytes=4/464

npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0

  1. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the diagnose vpn l2tp status command:

—-

—-

HQ # Num of tunnels: 2

—-

Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0,

tx = 152 bytes (2), rx= 21179 bytes (205)

Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0,

tx = 152 bytes (2), rx= 0 bytes (0)

—-

–VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false

—-

To configure LT2P over an IPsec tunnel using the GUI:

  1. Go to VPN > IPsec Wizard.
  2. Enter a name for the VPN in the Name In this example L2tpoIPsec is used.
  3. Set the following, then click Next: l Template Type to Remote Access l Remote Device Type to Native and Windows Native
  4. Set the following, then click Next:
    • Incoming Interface to port9 l Authentication Method to Pre-shared Key l Pre-shared Key to your-psk l UserGroup to L2tpusergroup
  5. Set the following, then click Create: l Local Interface as port10 l Local Address as 16.101.0
    • Client Address Range as 10.10.1-10.10.10.100 l Subnet Mask is left as its default value.

VxLAN over IPsec tunnel

This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.

The following shows the network topology for this example:

To configure GRE over an IPsec tunnel:

  1. Configure the WAN interface and default route:
  2. HQ1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.200.3 set device “port1”

next

end

  1. HQ2:

config system interface edit “port25” set ip 172.16.202.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure IPsec phase1-interface:
  2. HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan

set encapsulation-address ipv4 set encap-local-gw4 172.16.200.1 set encap-remote-gw4 172.16.202.1 set remote-gw 172.16.202.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 172.16.202.1 set encap-remote-gw4 172.16.200.1 set remote-gw 172.16.200.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy:
  2. HQ1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept

set schedule “always” set service “ALL”

next

end

  1. HQ2:

config firewall policy edit 1 set srcintf “port9” set dstintf “to_HQ1” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the virtual switch:
    1. HQ1:

config system switch-interface edit “vxlan-HQ2” set member “dmz” “to_HQ2” set intra-switch-policy explicit

next

end

  1. HQ2:

config system switch-interface edit “vxlan-HQ1” set member “port9” “to_HQ1” set intra-switch-policy explicit

next

end

  1. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]= encap-addr: 172.16.200.1->172.16.202.1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0 stat: rxp=13 txp=3693 rxb=5512 txb=224900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41944/0B replaywin=2048 seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe

enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91 ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50

dec:pkts/bytes=13/4640, enc:pkts/bytes=3693/623240

  1. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host vxlan-HQ1 command:

show bridge control interface vxlan-HQ1 host.

fdb: size=2048, used=17, num=17, depth=1 Bridge vxlan-a host table

port no device devname mac addr                ttl     attributes

1      1.       dmz     00:0c:29:4e:33:c9        1.        Hit(1)

1      1.       dmz     00:0c:29:a8:c3:ea       105      Hit(105)

1      1.       dmz     90:6c:ac:53:76:29       18       Hit(18)

1      1.       dmz     08:5b:0e:dd:69:cb        1.       Local Static

1      1.       dmz     90:6c:ac:84:3e:5d        1.        Hit(5)

  • dmz    00:0b:fd:eb:21:d6   1.     Hit(0)
  • 38 to_HQ2 56:45:c3:3f:57:b4        Local Static
  • dmz    00:0c:29:d2:66:40   78     Hit(78)
  • 38 to_HQ2 90:6c:ac:5b:a6:eb   124    Hit(124)

1      1.       dmz     00:0c:29:a6:bc:e6       19       Hit(19)

1      1.       dmz     00:0c:29:f0:a2:e7        1.        Hit(0)

1      1.       dmz     00:0c:29:d6:c4:66       164      Hit(164)

1      1.       dmz     00:0c:29:e7:68:19        1.        Hit(0)

1      1.       dmz     00:0c:29:bf:79:30       19       Hit(19)

1      1.       dmz     00:0c:29:e0:64:7d        1.        Hit(0)

1      1.       dmz     36:ea:c7:30:c0:f1       25       Hit(25)

1      1.       dmz     36:ea:c7:30:cc:71        1.        Hit(0)

Disable automatic ASIC offloading

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status All ipsec crypto devices in use:

NP6_0:

Encryption (encrypted/decrypted)

 

null  
                   des                0 1.
                   3des             : 0 1.
                   aes              : 0 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 0 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NP6_1:

Encryption (encrypted/decrypted)

1.
                   null             : 14976 15357
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 110080 2175
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 110080 2175
                   sha1             : 14976 15357
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

1.
                   null             : 3 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 111090 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 111090 1.
                   sha1             : 3 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

1.
                   null             : 1 1.
                   des              : 0 1.

VPN and ASIC offload

VPN and ASIC offload

  1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.

# get hardware status

Model name: [[QualityAssurance62/FortiGate]]-900D

ASIC version: CP8

ASIC SRAM: 64M

CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz

Number of CPUs: 4

RAM: 16065 MB

Compact Flash: 1925 MB /dev/sda

Hard disk: 244198 MB /dev/sdb

USB Flash: not available

Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)

  1. Check port to NPU mapping.
# diagnose npu np6 port-list
Chip

—-

XAUI Ports Max Cross-chip Speed offloading
np6_0 0      
  1. port17 1G Yes
  1. port18 1G Yes
  1. port19 1G Yes
  1. port20 1G Yes
  1. port21 1G Yes
  1. port22 1G Yes
  1. port23 1G Yes
  1. port24 1G Yes
  1. port27 1G Yes
  1. port28 1G Yes
  1. port25 1G Yes
  1. port26 1G Yes
  1. port31 1G Yes
  1. port32 1G Yes
  1. port29 1G Yes
  1. port30 1G Yes
—- 1. 1. portB 10G Yes
np6_1 0      
  1. port1 1G Yes
  1. port2 1G Yes
  1. port3 1G Yes
  1. port4 1G Yes
  1. port5 1G Yes
  1. port6 1G Yes
  1. port7 1G Yes
  1. port8 1G Yes
  1. port11 1G Yes
  1. port12 1G Yes
  1. port9 1G Yes
  1. port10 1G Yes
  1. port15 1G Yes
  1. port16 1G Yes
  1. port13 1G Yes  
  1. port14 1G Yes  
  1. 1. portA 10G Yes  

—-

  1. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).

config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable

next

end

  1. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660

enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e

dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2

FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.

 

                   sha512           : 0

NP6_1:

Encryption (encrypted/decrypted)

1.
                   null             : 14976 15357
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1664 2047
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 1664 2047
                   sha1             : 14976 15357
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

1.
                   null             : 3 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 3 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 3 1.
                   sha1             : 3 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

1.
                   null             : 1 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 1 1.
                   sha1             : 1 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0 1.

SOFTWARE:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 29882 29882
         aria             : 21688 21688
         seed             : 153774 153774
chacha20poly1305 : 29521

Integrity (generated/validated)

29521
         null             : 59403 59403
         md5              : 0 1.
         sha1             : 175462 175462
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.
  1. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.

VPN Tunneled Internet Browsing

Tunneled Internet Browsing

This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneling to HQ, including Internet browsing.

The following shows the sample network topology for this example:

To configure a dialup VPN to tunnel Internet browsing using the GUI:

  1. Configure the dialup VPN server FortiGate at HQ:
    1. Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type
      • The remote side is behind NAT to NAT Configuration
    2. Make the following selections, and then click Next:
      • Incoming Interface to port9 l Authentication Method to Pre-Shared Key l Pre-shared Key to sample
    3. Make the following selections, and then click Create:
      • Local Interface to port10 l Local Subnets to 16.101.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Share Local l Shared WAN to port9
    4. Configure the dialup VPN client FortiGate at a branch:
    5. Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following selections, then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type l This side is behind NAT to NAT Configuration
    6. Make the following selections, and then click Next:
      • IP Address to Remote Device, then enter the IP address: 22.1.1.1 l Outgoing Interface to wan1 l Authentication Method to Pre-shared Key l Pre-shared Key to sample
    7. Make the following selections, and then click Create: l Local Interface to internal l Local Subnets to 1.100.0/192.1684.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Use Remote l Local Gateway to 15.1.1.1/13.1.1.1

To configure a dialup VPN to tunnel Internet browsing using the CLI:

  1. Configure the WAN interface and static route on the FortiGate at HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure IPsec phase1-interface and phase2-interface configuration at HQ:

config vpn ipsec phase1-interface edit “HQ” set type dynamic set interface “port9” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next

end

config vpn ipsec phase2-interface edit “HQ” set phase1name “HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy at HQ:

config firewall policy edit 1 set srcintf “HQ” set dstintf “port9” “port10” set srcaddr “10.1.100.0” “192.168.4.0” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Configure the WAN interface and static route on the FortiGate at the branches:
  2. Branch1:

config system interface edit “wan1” set ip 15.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end

config router static edit 1 set gateway 15.1.1.1 set device “wan1”

next

end

  1. Branch2:

config system interface edit “wan1” set ip 13.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end

config router static edit 1 set gateway 13.1.1.1 set device “wan1”

next end

  1. Configure IPsec phase1-interface and phase2-interface configuration at the branches: a. Branch1:

config vpn ipsec phase1-interface edit “branch1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch1” set phase1name “branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

next

end

  1. Branch2:

config vpn ipsec phase1-interface edit “branch2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch2” set phase1name “branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next

end

  1. Configure the firewall policy at the branches:
  2. Branch1:

config firewall policy edit 1 set name “outbound” set srcintf “internal” set dstintf “branch1” set srcaddr “all”

set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch1” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Branch2:

config firewall policy edit 1

set name “outbound” set srcintf “internal” set dstintf “branch2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch2” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the static routes at the branches:
  2. Branch1:

config router static

edit 2

set dst 22.1.1.1/32 set gateway 15.1.1.1 set device “wan1” set distance 1

next edit 3

set device “branch1” set distance 5

next end

  1. Branch2:

config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device “wan1” set distance 1

next edit 3 set device “branch2” set distance 5

next

end

  1. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7

enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0

dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

  1. Optionally, view static routing table on a branch with the get router info routing-table static command:

Routing table for VRF=0

S*     0.0.0.0/0 [5/0] is directly connected, branch1

S*      22.1.1.1/32 [1/0] via 15.1.1.1, wan1

Troubleshooting – IPsec related diagnose command

IPsec related diagnose command

This document provides IPsec related diagnose commands.

  1. Daemon IKE summary information list: diagnose vpn ike status

connection: 2/50

IKE SA: created 2/51 established 2/9 times 0/13/40 ms

IPsec SA: created 1/13 established 1/7 times 0/8/30 ms

  1. IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0 name: tofgtc version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 172.16.200.3:500

created: 4313s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 0/0

id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator

status: established 4313-4313s ago = 10ms proposal: aes128-sha256

key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786

DPD sent/recv: 00000000/00000000

vd: root/0 name: to_HQ version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator

status: established 1013-1013s ago = 0ms proposal: aes128-sha256

key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010

  1. IPsec phase2 tunnel status: diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev

proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-

name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42900/43200

dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a

enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe

dec:pkts/bytes=1/84, enc:pkts/bytes=4/608

npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

  1. Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.

NP6_1:

Encryption (encrypted/decrypted)  
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 337152 46069
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 337152 46069
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

1.
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 38 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 38 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

1.
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 1337 1582
                   aes              : 71 11426
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 48 28
                   sha1             : 1360 12980
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0 1.

SOFTWARE:

Encryption (encrypted/decrypted)

         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.
  1. diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1

# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000

ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated

ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY

ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101:      type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101:      type=OAKLEY_HASH_ALG, val=SHA2_256.

ike 0:to_HQ:101:    type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.

ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected

ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key

16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK

ike 0:to_HQ:101: add INITIAL-CONTACT

ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS

ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC

ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response

28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’

ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection

# ike 0:to_HQ:to_HQ: config found

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-

>0:0.0.0.0/0.0.0.0:0:0

ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:

ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: incoming proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1: ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP: ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14 ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128) ike 0:to_HQ:101:to_HQ:259:     encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:to_HQ:101:to_HQ:259:        type = AUTH_ALG, val=SHA1

ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101:to_HQ:259: replay protection enabled ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902. ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200. ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1 ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key

16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap

ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01

Troubleshooting – Understanding VPN related logs

Understanding VPN related logs

This document provides some IPsec log samples:

IPsec phase1 negotiating

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/0000000000000000″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase1 negotiated

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/1230131a28eb4e73″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=2 role=”initiator” result=”DONE”

 

IPsec phase1 tunnel up

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunnelup” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910918 tunneltype=”ipsec” duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 IPsec phase2 negotiate

logid=”0101037129″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”Progress IPsec phase 2″ msg=”progress IPsec phase 2″ action=”negotiate” remip=11.101.1.1

locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” status=”success” init=”local” mode=”quick” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase2 tunnel up

logid=”0101037139″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec phase 2 status changed” msg=”IPsec phase 2 status change” action=”phase2-up” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

phase2_name=”to_HQ” IPsec phase2 sa install

logid=”0101037133″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec SA installed” msg=”install IPsec SA” action=”install_sa” remip=11.101.1.1 locipp=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ userr=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” role=”initiator” in_spi=”ca646448″ out_spi=”747c10c6″ IPsec tunnel statistics

logid=”0101037141″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544131118 logdesc=”IPsec tunnel statistics” msg=”IPsec tunnel statistics” action=”tunnel-stats” remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf=”mgmt1″ cookies=”3539884dbd8f3567/c32e4c1beca91b36″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”L2tpoIPsec_ 0″ tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype=”ipsec” duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60 IPsec phase2 tunnel down

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunneldown” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910786 tunneltype=”ipsec” duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0 IPsec phase1 sa deleted

logid=”0101037134″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec phase 1 SA deleted” msg=”delete IPsec phase 1 SA” action=”delete_phase1_sa” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

IPsec VPN authenticating a remote FortiGate peer with a certificate

IPsec VPN authenticating a remote FortiGate peer with a certificate

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

  1. Import the certificate. 2. Configure user peers.
  2. Configure the HQ1 FortiGate:
  3. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  4. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1.
  5. For Authentication Method, select Signature.
  6. In the Certificate name field, select the imported certificate.
  7. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.
  • Click Next.
  1. Configure the following settings for Policy & Routing:
  2. From the Local Interface dropdown menu, select the proper local interface.
  3. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
  4. Click Create.
  5. Configure the HQ2 FortiGate:
  6. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  7. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
    2. For Authentication Method, select Signature.
    3. In the Certificate name field, select the imported certificate.
    4. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.
  • Click Next.
  1. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1

 

gateway 172.16.200.3 device “port1”

next

end

  1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

  1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

  1. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step:
  2. Configure HQ1:

config vpn certificate local edit “test1” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next end

  1. Configure HQ2:

config vpn certificate local edit “test2” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next

end

  1. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
    1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following: Configure HQ1:

config user peer edit “peer1” set ca “CA_Cert_1”

next

end

  1. Configure HQ2:

config user peer edit “peer2” set ca “CA_Cert_1”

next

end

  1. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA:
    1. Configure HQ1:

config user peer edit “peer1” set ca “Fortinet_CA”

next

end

  1. Configure HQ2:

config user peer edit “peer2” set ca “Fortinet_CA”

next

end

  1. Configure the IPsec phase1-interface:
    1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set authmethod signature net-device enable

proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 172.16.202.1 set certificate “test1” set peer “peer1”

next

end

  1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set authmethod signature set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate “test2” set peer “peer2”

next

end

  1. Configure the IPsec phase2-interface:
    1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
  2. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” srcintf “port9” dstintf “to_HQ1”

set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:

ike 0: to_HQ2:15314: certificate validation failed

The following commands are useful to check IPsec phase1/phase2 interface status.

  1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

peer-id-auth: yes

IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms

id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-

43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

  1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c

ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece

ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

  1. Configure the HQ1 FortiGate:
  2. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  3. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1. iv. For Authentication Method, select Pre-shared Key.
  4. In the Pre-shared Key field, enter sample as the key.
  5. Click Next.
  6. Configure the following settings for Policy & Routing:
  7. From the Local Interface dropdown menu, select the proper local interface.
  8. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
  9. Click Create.
  10. Configure the HQ2 FortiGate:
  11. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  12. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter sample as the key.
    4. Click Next.
  13. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next end

  1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

  1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

  1. Configure the IPsec phase1-interface:
    1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

next

end

  1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample

next

end

  1. Configure the IPsec phase2-interface:
    1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel: a. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “to_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug output:

ike 0:to_HQ2:15037: parse error ike 0:to_HQ2:15037: probable pre-shared secret mismatch’

The following commands are useful to check IPsec phase1/phase2 interface status.

  1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 5s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 2/2 established 2/2 time 0/0/0 ms id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status: established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-7bb9ee241362ee8d lifetime/rekey: 86400/86124

DPD sent/recv: 00000000/00000000

  1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=11 ilast=7 olast=87 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7 ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0