Troubleshooting GRE over IPsec
This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.
Here is a list of common problems and what to verify.
|Problem||What to check|
|No communication with remote
Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up.
|IPsec tunnel does not come up.||Check the logs to determine whether the failure is in Phase 1 or Phase 2.
Check that the encryption and authentication settings match those on the Cisco device.
Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode.
|Tunnel connects, but there is no
|Check the security policies. See Troubleshooting GRE over IPsec.
Check routing. See Troubleshooting GRE over IPsec.
Setting up logging
Configuring FortiGate logging for IPsec
- Go to Log & Report > Log Settings.
- Select the Event Logging.
- Select VPN activity event.
- Select Apply.
Viewing FortiGate logs
- Go to Log & Report > VPN Events.
- Select the log storage type.
- Select Refresh to view any logged events.
GRE tunnel keepalives
In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):
config firewall policy
edit < id >
set srcintf "gre"
set dstintf "port1"
set srcaddr "126.96.36.199"
set dstaddr "188.8.131.52"
set action accept
set schedule "always"
set service "GRE"
Cisco compatible keep-alive support for GRE
The FortiGate can send a GRE keepalive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.
Configuring keepalive query - CLI:
config system gre-tunnel
set keepalive-interval <value: 0-32767>
set keepalive-failtimes <value: 1-255>
GRE tunnel with multicast traffic
If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.
- To configure a multicast policy, use the
config firewall multicast-policycommand.
- To enable multicast forwarding, use the following commands:
config system settings
set multicast-forward enable
Using diagnostic commands
There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.
Using the packet sniffer - CLI:
- Enter the following CLI command:
diag sniff packet any icmp 4
- Ping an address on the network behind the FortiGate unit from the network behind the Cisco router.
The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:
114.124303 gre1 in 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124367 port2 out 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124466 port2 in 10.11.101.10 -> 10.0.1.2: icmp: echo reply
114.124476 gre1 out 10.11.101.10 -> 10.0.1.2: icmp: echo reply
CTRL-Cto stop the sniffer.
Viewing debug output for IKE - CLI:
- Enter the following CLI commands
diagnose debug application ike -1
diagnose debug enable
- Attempt to use the VPN or set up the VPN tunnel and note the debug output.
- Enter CTRL-C to stop the debug output.
- Enter the following command to reset debug settings to default:
diagnose debug reset