FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Monitoring and testing <strong>VPN</strong>s<br />
<strong>VPN</strong> troubleshooting tips<br />
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice vd=root<br />
loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500 out_if=port2<br />
vpn_tunnel=asdf cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c action=negotiate init=local<br />
mode=quick stage=1 dir=outbound status=success msg="Initiator: sent 172.16.62.11 quick<br />
mode message #1 (OK)"<br />
2005-03-31 15:38:29 log_id=0101023006 type=event subtype=ipsec pri=notice vd=root<br />
loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500 out_if=port2<br />
vpn_tunnel=asdf cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c action=install_sa<br />
in_spi=66867f2b out_spi=e22de275 msg="Initiator: tunnel 172.16.62.10/172.16.62.11<br />
install ipsec sa"<br />
2005-03-31 15:38:29 log_id=0101023004 type=event subtype=ipsec pri=notice vd=root<br />
loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500 out_if=port2<br />
vpn_tunnel=asdf cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c action=negotiate init=local<br />
mode=quick stage=2 dir=outbound status=success msg="Initiator: sent 172.16.62.11 quick<br />
mode message #2 (DONE)"<br />
2005-03-31 15:38:29 log_id=0101023002 type=event subtype=ipsec pri=notice vd=root<br />
loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11 rem_port=500 out_if=port2<br />
vpn_tunnel=asdf cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c action=negotiate<br />
status=success msg="Initiator: tunnel 172.16.62.11, transform=ESP_3DES, HMAC_SHA1"<br />
Entries similar to the following indicate that phase 1 negotiations broke down<br />
because the preshared keys belonging to the <strong>VPN</strong> peers were not identical. A<br />
tunnel was not established.<br />
2005-03-31 16:06:39 log_id=0101023003 type=event subtype=ipsec pri=error vd=root<br />
loc_ip=192.168.70.2 loc_port=500 rem_ip=192.168.80.2 rem_port=500 out_if=port2<br />
vpn_tunnel=s cookies=3896343ae575f210/0a7ba199149e31e9 action=negotiate<br />
status=negotiate_error msg="Negotiate SA Error: probable pre-shared secret mismatch"<br />
For more information about how to interpret error log messages, see the <strong>FortiGate</strong><br />
Log Message Reference.<br />
<strong>VPN</strong> troubleshooting tips<br />
Most connection failures are due to a configuration mismatch between the<br />
<strong>FortiGate</strong> unit and the remote peer. In general, begin troubleshooting an <strong>IPSec</strong><br />
<strong>VPN</strong> connection failure as follows:<br />
1 Ping the remote network or client to verify whether the connection is up. See<br />
“Testing <strong>VPN</strong> connections” on page 157.<br />
2 Verify the configuration of the <strong>FortiGate</strong> unit and the remote peer. Check the<br />
following <strong>IPSec</strong> parameters:<br />
• The mode setting for ID protection (main or aggressive) on both <strong>VPN</strong> peers<br />
must be identical.<br />
• The authentication method (preshared keys or certificates) used by the client<br />
must be supported on the <strong>FortiGate</strong> unit and configured properly.<br />
• If preshared keys are being used for authentication purposes, both <strong>VPN</strong> peers<br />
must have identical preshared keys.<br />
• The remote client must have at least one set of phase 1 encryption,<br />
authentication, and Diffie-Hellman settings that match corresponding settings<br />
on the <strong>FortiGate</strong> unit.<br />
• Both <strong>VPN</strong> peers must have the same NAT traversal setting (enabled or<br />
disabled).<br />
• The remote client must have at least one set of phase 2 encryption and<br />
authentication algorithm settings that match the corresponding settings on the<br />
<strong>FortiGate</strong> unit.<br />
• If you are using manual keys to establish a tunnel, the Remote SPI setting on<br />
the <strong>FortiGate</strong> unit must be identical to the Local SPI setting on the remote<br />
peer, and vise versa.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 159