Troubleshooting Fortigate IPsec Phase 2 Issues

Alright, guys, let's dive into the nitty-gritty of troubleshooting IPsec Phase 2 issues on Fortigate firewalls. If you're dealing with VPN connectivity problems, especially after the initial Phase 1 negotiation, you're likely facing a Phase 2 configuration hiccup. This guide will walk you through the common diagnostic commands and steps to get your VPN tunnel back on track. Understanding and resolving these issues is crucial for maintaining secure and reliable network connections. Let's get started!

Understanding IPsec Phase 2

Before we jump into the diagnostics, let's briefly cover what IPsec Phase 2 is all about. Phase 1 establishes the secure channel for further communication, while Phase 2 (also known as Quick Mode) handles the negotiation of the specific security parameters for data transfer. This includes the proposal (encryption and authentication algorithms), Perfect Forward Secrecy (PFS), and the actual security associations (SAs) that protect the data flowing through the tunnel. Mismatches or misconfigurations in Phase 2 are common culprits for VPN connectivity failures.

Why is Phase 2 Important?

Phase 2 is where the real data protection happens. It ensures that the data exchanged between the two endpoints is encrypted and authenticated, preventing eavesdropping and tampering. Without a correctly configured Phase 2, your VPN tunnel might establish, but you won't be able to pass any meaningful traffic through it. A successful Phase 2 negotiation results in the creation of Security Associations (SAs) in both directions, defining how data is secured.

Common Phase 2 Issues

Several issues can lead to Phase 2 failures:

1. Mismatched Proposals: The encryption and authentication algorithms on both sides of the tunnel must match exactly. Even a slight difference will cause the negotiation to fail.
2. Incorrect Subnets: The local and remote subnets defined in the Phase 2 configuration must accurately reflect the networks you want to connect. Overlapping or incorrect subnets can prevent traffic from flowing.
3. PFS Mismatch: If Perfect Forward Secrecy (PFS) is enabled, both sides must use the same Diffie-Hellman group. A mismatch here will cause the Phase 2 negotiation to fail.
4. Firewall Policies: Ensure that your firewall policies allow traffic to flow between the local and remote subnets using the VPN tunnel as the outgoing interface. Missing or incorrect policies are a common oversight.
5. Dead Peer Detection (DPD): While DPD primarily affects tunnel stability, incorrect DPD settings can sometimes interfere with Phase 2 re-negotiation. Make sure DPD is configured appropriately on both sides.

Essential Fortigate Diagnostic Commands for Phase 2

Okay, let's get our hands dirty with some diagnostic commands. These commands are your best friends when troubleshooting IPsec Phase 2 issues on Fortigate. Remember to execute these commands from the Fortigate CLI.

1. diagnose vpn ike log filter

This command is invaluable for filtering the IKE (Internet Key Exchange) debug logs. IKE is the protocol used for both Phase 1 and Phase 2 negotiations. By filtering the logs, you can focus on the relevant information and quickly identify the cause of the problem.

How to Use It

First, enable IKE debug logging:

diagnose debug enable
diagnose debug application ike -1

Then, use the diagnose vpn ike log filter command to specify what you want to see in the logs. Here are some useful filters:

• diagnose vpn ike log filter name <vpn_name>: Filters logs for a specific VPN tunnel.
• diagnose vpn ike log filter address <peer_ip>: Filters logs for a specific peer IP address.
• diagnose vpn ike log filter status error: Shows only error messages.

Example:

diagnose vpn ike log filter name my_vpn
diagnose debug enable
diagnose debug application ike -1

This will display only the IKE debug logs related to the VPN tunnel named "my_vpn". Analyze the logs for error messages or mismatches in the Phase 2 negotiation.

Interpreting the Logs

The IKE debug logs can be a bit cryptic, but here are some common things to look for:

• No proposal chosen: Indicates a mismatch in the encryption or authentication algorithms.
• Invalid ID: Suggests an issue with the local or remote subnets.
• DH group mismatch: Indicates a problem with the Perfect Forward Secrecy (PFS) configuration.
• Received notify payload: INVALID-ID-INFORMATION: Also suggests an issue with the local or remote subnets.

2. diagnose vpn tunnel list

This command provides a summary of all IPsec tunnels on the Fortigate, including their status, Phase 1 and Phase 2 SAs, and other relevant information. It's a quick way to check if Phase 2 is established and to see the configured parameters.

How to Use It

Simply type the command in the CLI:

diagnose vpn tunnel list

The output will show a list of VPN tunnels with details like the tunnel name, state (up or down), encryption and authentication algorithms, and the number of active SAs.

Interpreting the Output

• status: up for both Phase 1 and Phase 2 indicates a healthy tunnel.
• If Phase 1 is up but Phase 2 is down, it points to a Phase 2 configuration issue.
• Check the encryption and authentication algorithms to ensure they match on both sides.
• Verify the local and remote subnets are correctly configured.

3. diagnose vpn ike gateway list

This command displays detailed information about the IKE gateway, including the Phase 1 settings, peer IP address, and other configuration parameters. While it primarily focuses on Phase 1, it can be helpful in identifying any underlying issues that might be affecting Phase 2.

How to Use It

diagnose vpn ike gateway list

The output will show the configuration of each IKE gateway, including the authentication method, encryption algorithms, and other settings.

Interpreting the Output

• Verify that the Phase 1 settings are correct and match the peer device.
• Check the peer IP address to ensure it's reachable.
• Look for any error messages or warnings in the output.

4. diagnose firewall iprope check

This command is extremely useful for verifying if the firewall policies are correctly configured to allow traffic through the VPN tunnel. It simulates the traffic flow and checks if the firewall is allowing or denying it based on the configured policies.

How to Use It

The syntax for this command is:

diagnose firewall iprope check <interface> <source_ip> <destination_ip> <protocol> <source_port> <destination_port>

Replace the placeholders with the appropriate values:

• <interface>: The outgoing interface (usually the VPN tunnel interface).
• <source_ip>: The IP address of the source device.
• <destination_ip>: The IP address of the destination device.
• <protocol>: The protocol being used (e.g., TCP, UDP, ICMP).
• <source_port>: The source port (if applicable).
• <destination_port>: The destination port (if applicable).

Example:

diagnose firewall iprope check vpn_tunnel 192.168.1.10 10.0.0.10 tcp 2000 80

This command will check if traffic from 192.168.1.10 to 10.0.0.10 using TCP port 80 is allowed through the "vpn_tunnel" interface.

Interpreting the Output

• If the output shows "Accept", the firewall policy is allowing the traffic.
• If the output shows "Deny", the firewall policy is blocking the traffic. You'll need to adjust your firewall policies to allow the traffic.
• The output will also show which firewall policy is being matched, which can help you identify the specific rule that needs to be modified.

Troubleshooting Steps

Now that you're armed with the diagnostic commands, let's walk through a systematic approach to troubleshooting Phase 2 issues.

1. Verify Phase 1: Ensure that Phase 1 is up and stable. If Phase 1 is down, you'll need to troubleshoot that first.
2. Check Proposals: Use the diagnose vpn ike log filter command to check for proposal mismatches. Make sure the encryption and authentication algorithms are identical on both sides.
3. Verify Subnets: Confirm that the local and remote subnets are correctly configured in the Phase 2 settings. Overlapping or incorrect subnets are a common cause of Phase 2 failures.
4. Check PFS: If Perfect Forward Secrecy (PFS) is enabled, ensure that both sides are using the same Diffie-Hellman group.
5. Examine Firewall Policies: Use the diagnose firewall iprope check command to verify that your firewall policies are allowing traffic to flow through the VPN tunnel. Pay close attention to the source and destination IPs, ports, and protocols.
6. Review DPD Settings: While less common, incorrect Dead Peer Detection (DPD) settings can sometimes interfere with Phase 2 re-negotiation. Make sure DPD is configured appropriately on both sides.
7. Restart the Tunnel: Sometimes, simply restarting the VPN tunnel can resolve transient issues. You can do this from the Fortigate GUI or CLI.

Example Scenario

Let's say you have a VPN tunnel named "SiteA_to_SiteB" that's not passing traffic. You've already confirmed that Phase 1 is up.

1. Check the IKE logs:

diagnose vpn ike log filter name SiteA_to_SiteB
diagnose debug enable
diagnose debug application ike -1

You see the following error message: No proposal chosen. This indicates a mismatch in the encryption or authentication algorithms.

2. Review the Phase 2 settings:

You compare the Phase 2 settings on both Fortigate devices and find that Site A is using AES256-SHA256, while Site B is using AES128-SHA1. This is the cause of the problem.

3. Correct the mismatch:

You change the Phase 2 settings on Site B to match Site A (AES256-SHA256).

4. Restart the tunnel:

After making the changes, you restart the VPN tunnel. Traffic now flows correctly.

Conclusion

Troubleshooting IPsec Phase 2 issues on Fortigate firewalls requires a systematic approach and a good understanding of the diagnostic commands. By using the diagnose vpn ike log filter, diagnose vpn tunnel list, diagnose vpn ike gateway list, and diagnose firewall iprope check commands, you can quickly identify and resolve common configuration errors. Remember to always verify your proposals, subnets, PFS settings, and firewall policies. With a little practice, you'll become a pro at keeping your VPN tunnels up and running smoothly. Good luck, and happy troubleshooting!