IPsec VPN Troubleshooting in Fortigate firewall –
Follow below steps to troubleshoot this kind of issue-
1. VPN Tunnel Issues:
- Frequent Tunnel Downtime:
- Use
diagnose vpn tunnel list
to check tunnel status. - Ensure correct pre-shared key to avoid PSK mismatch errors.
- Clear existing VPN tunnels with
diagnose vpn ike restart
anddiagnose vpn ike gateway clear
.
- Use
2. SA Proposal Mismatch:
- Check and match the SA proposals on both ends of the VPN connection.
- Commands:
diag vpn ike log filter name <phase1-name>
diag debug app ike -1
diag debug enable
3. Phase 1 and Phase 2 Negotiation:
- Phase 1 Troubleshooting:
- Verify correct settings with
diagnose debug disable
anddiagnose vpn ike log-filter clear
. - Use
diagnose debug app ike 255
to check the negotiation process.
- Verify correct settings with
- Phase 2 Troubleshooting:
- Ensure both ends have matching settings and proposals.
- Check routing and enable/disable IPsec ASIC-offloading if necessary.
4. General VPN Troubleshooting Tips:
- Hardware Offloading:
- Enable or disable IPsec ASIC-offloading with:bashCopy code
config sys global set ipsec-asic-offload [enable|disable] end
- Enable or disable IPsec ASIC-offloading with:bashCopy code
- XAuth Configuration:
- Try enabling XAuth for additional authentication if necessary.
5. NAT Devices:
- Adjust settings if there are NAT devices in the network path.
- Verify that NAT traversal is enabled and functioning correctly.
Example CLI Commands
1. PSK Mismatch Error:
2. SA Proposal Mismatch:
3. Clear Existing Tunnels:
4. Disable Debugging:
Leave a Reply