Troubleshooting VPN connections
If you have determined that your VPN connection is not working properly through
“Testing VPN connections”, the next step is to verify that you have a phase2 connection.
If traffic is not passing through the FortiGate unit as you expect, ensure the traffic does not contain IPcomp packets (IP protocol 108, RFC 3173). FortiGate units do not allow IPcomp packets, they compress packet payload, preventing it from being scanned.
Testing Phase 1 and 2 connections is a bit more difficult than testing the working VPN. This is because they require diagnose CLI commands. These commands are typically used by Fortinet customer support to discover more information about your FortiGate unit and its current configuration.
Before you begin troubleshooting, you must:
• Configure FortiGate units on both ends for interface VPN
• Record the information in your VPN Phase 1 and Phase 2 configurations - for our example here the remote IP address is 10.11.101.10 and the names of the phases are Phase 1 and Phase 2
• Install a telnet or SSH client such as putty that allows logging of output
• Ensure that the admin interface supports your chosen connection protocol so you can connect to your FortiGate unit admin interface.
For this example, default values were used unless stated otherwise.
To get diagnose information for the VPN connection - CLI
1. Log into the CLI as admin with the output being logged to a file.
2. Stop any diagnose debug sessions that are currently running with the CLI command
diagnose debug disable
3. Clear any existing log-filters by running
diagnose vpn ike log-filter clear
4. Set the log-filter to the IP address of the remote computer (10.11.101.10). This filters out all VPN connections except ones to the IP address we are concerned with. The command is
diagnose vpn ike log-filter dst-addr4 10.11.101.10.
5. Set up the commands to output the VPN handshaking. The commands are:
diagnose debug app ike 255
diagnose debug enable
6. Have the remote FortiGate initiate the VPN connection in the web-based manager by going to VPN > Monitor and selecting Bring up.
This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends. Having both sets of information locally makes it easier to troubleshoot your VPN connection.
7. Watch the screen for output, and after roughly 15 seconds enter the following CLI command to stop the output.
diagnose debug disable
8. If needed, save the log file of this output to a file on your local computer. Saving the output to a file can make it easier to search for a particular phrase, and is useful for comparisons.
To troubleshoot a phase1 VPN connection
Using the output from
“To get diagnose information for the VPN connection - CLI”, search for the word
proposal in the output. It may occur once indicating a successful connection, or it will occur two or more times for an unsuccessful connection — there will be one proposal listed for each end of the tunnel and each possible combination in their settings. For example if 10.11.101.10 selected both Diffie-Hellman Groups 1 and 5, that would be at least 2 proposals set.
A successful negotiation proposal will look similar to
IPsec SA connect 26 10.12.101.10->10.11.101.10:500
config found
created connection: 0x2f55860 26 10.12.101.10->10.11.101.10:500
IPsec SA connect 26 10.12.101.10->10.11.101.10:500 negotiating
no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
initiator: main mode is sending 1st message...
cookie 3db6afe559e3df0f/0000000000000000
out [encyrption]
sent IKE msg (ident-i1send): 10.12.101.10:500->10.11.101.10:500, len=264, id=3db6afe559e3df0f/0000000000000000
diaike 0: comes 10.12.101.1:500->10.11.101.1:500,ifindex=26....
Note the phrase “initiator: main mode is sending 1st message...” which shows you the handshake between the ends of the tunnel is in progress. Initiator shows the remote unit is sending the first message.