fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Testing Gateway-to-gateway configurations<br />
9 If all fields are set to any, there are no filters set and all VPN ike packets will be<br />
displayed in the debug output. If your system has only a few VPNs, skip setting the<br />
filter.<br />
If your system has many VPN connections this will result in very verbose output and<br />
make it very difficult to locate the correct connection attempt.<br />
10 Set the VPN filter to display only information from the destination IP address for<br />
example 10.10.10.10:<br />
diag vpn ike log-filter dst-addr4 10.10.10.10<br />
To add more filter options, enter them one per line as above. Other filter options are<br />
displayed in Table 4.<br />
Table 4: Filter options for diag vpn ike filter<br />
clear erase the current filter<br />
dst-addr6 the IPv6 destination address range to filter by<br />
dst-port the destination port range to filter by<br />
interface interface that IKE connection is negotiated over<br />
list display the current filter<br />
name the phase1 name to filter by<br />
negate negate the specified filter parameter<br />
src-addr4 the IPv4 source address range to filter by<br />
src-addr6 the IPv6 source address range to filter by<br />
src-port the source port range to filter by<br />
vd index of virtual domain. 0 matches all<br />
11 Start debugging:<br />
diag debug app ike 255<br />
diag debug enable<br />
12 Have the remote end attempt a VPN connection.<br />
If the remote end attempts the connection they become the initiator. This situation makes<br />
it easier to debug VPN tunnels because then you have the remote information and all of<br />
your local information. by initiate the connection, you will not see the other end’s<br />
information.<br />
13 If possible go to the web-based manager on your FortiGate unit, go to the VPN<br />
monitor and try to bring the tunnel up.<br />
14 Stop the debug output:<br />
diag debug disable<br />
15 Go back through the output to determine what proposal information the initiator is<br />
using, and how it is different from your VPN P1 proposal settings.<br />
Things to look for in the debug output of attempted VPN connections are shown below.<br />
Table 5: Important terms to look for in VPN debug output<br />
initiator Starts the VPN attempt, in the above procedure that is the<br />
remote end<br />
responder Answers the initiator’s request<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
82 01-434-112804-20120111<br />
http://docs.fortinet.com/