Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Diagnostics and logging

    Scheduled Pinned Locked Moved
    TNSR
    2
    4
    375
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eece_ret
      last edited by

      Good Afternoon all;

      Got the home lab up. Zero to NAT was very straightforward. IPSEC however is presenting some woes.
      This is a VM (KVM linux on a Sandy Bridge i7 socket 2011). MY NICs are Pro-1000T (E1000. I have a i350-t4 inbound for igb driver base but for now, e1000.
      The remote site is a Fortinet 3601E running 6.0.9 System Software.

      I have poured over teh configs till my brain fell out, and I cannot find anything that would preclude the tunnel coming up but its stuck at connecting.

      IPsec Tunnel: 0
      IKE SA: ipip0 ID: 222 Version: IKEv2
      Local: LOCAIP[500] Remote: REMOTEIP[500]
      Status: CONNECTING
      Local ID: 0x0.07ffc4131465p-1022ny Remote ID: 0x0.07ffc4131466p-1022ny
      Cipher:
      PRF:
      SPI Init: 741094755088191030 Resp: 0
      Initiator: true
      tnsr-home tnsr#

      The remote site sees this connection attempt and shows succesful P1 negotiation.

      date=2020-09-12 time=11:31:34 t subtype=vpn level=notice action=negotiate msg=progress IPsec phase 1 logdesc=Progress IPsec phase 1 user=N/A status=success remip=XXXXXXX locip=XXXXXXXXXX remport=500 locport=500 outintf=FW1-WAN_2034 cookies=7b4ddc05e227cb2a/27c7486c0102e3be group=N/A xauthuser=N/A xauthgroup=N/A vpntunnel=TNSR-TEST-1-1 dir=outbound init=remote exch=SA_INIT version=IKEv2 role=responder result=OK eventtime=1599935494 devid=FG36E1XXXXXXXX dtime=2020-09-12 11:31:34 itime_t=1599935495

      It appears to be failing at P2 but all the P2 settings appear to aling. Is there a way to get better diagnostic logging on the IPSEC tunnel formation that I may use to look for more/better clues as to whats up.

      <ipsec-config xmlns="urn:netgate:xml:yang:netgate-ipsec">
      <tunnel>
      <instance>0</instance>
      <local-addr>XXXXXXXXXX</local-addr>
      <remote-addr>XXXXXXXXXXXX</remote-addr>
      <remote-type>gateway</remote-type>
      <tunnel-type>interface</tunnel-type>
      <crypto>
      <config-type>ike</config-type>
      <ike>
      <version>2</version>
      <role>both</role>
      <lifetime>3600</lifetime>
      <udp-encapsulation>false</udp-encapsulation>
      <proposals>
      <name>1</name>
      <encryption-algorithm>aes128</encryption-algorithm>
      <integrity-algorithm>sha1</integrity-algorithm>
      <dh-group>modp1024</dh-group>
      </proposals>
      <identity>
      <peer>local</peer>
      <type>address</type>
      <value>XXXXXXXXXXX</value>
      </identity>
      <identity>
      <peer>remote</peer>
      <type>address</type>
      <value>XXXXXXXXXX</value>
      </identity>
      <authentication>
      <peer>local</peer>
      <round>
      <number>1</number>
      <type>psk</type>
      <psk>XXXXXXXX</psk>
      </round>
      </authentication>
      <authentication>
      <peer>remote</peer>
      <round>
      <number>1</number>
      <type>psk</type>
      <psk>XXXXXXX</psk>
      </round>
      </authentication>
      <child-sa>
      <name>1</name>
      <lifetime>3600</lifetime>
      <mode>tunnel</mode>
      <proposal>
      <name>1</name>
      <encryption-algorithm>aes128</encryption-algorithm>
      <integrity-algorithm>sha1</integrity-algorithm>
      <dh-group>modp1024</dh-group>
      </proposal>
      <protocol>esp</protocol>
      </child-sa>
      </ike>
      </crypto>
      </tunnel>
      </ipsec-config>

      Interface:
      <interface>
      <name>ipip0</name>
      <enabled>true</enabled>
      <ipv4>
      <address>
      <ip>10.254.254.1/30</ip>
      </address>
      </ipv4>
      </interface>
      </interfaces-config>

      Static Route:
      <route>
      <destination-prefix>172.25.193.240/28</destination-prefix>
      <next-hop>
      <hop>
      <hop-id>0</hop-id>
      <ipv4-address>10.254.254.2</ipv4-address>
      </hop>
      </next-hop>
      </route>

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        /var/log/messages

        tnsr uses strongswan just like pfSense does so the logging and fault-finding are similar.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        E 1 Reply Last reply Reply Quote 1
        • E
          eece_ret @Derelict
          last edited by

          @Derelict Thank you very much!

          I got the tunnel up. Unfortunately I changed 3 things on the last config push....

          1: Disabled Replay Protection.
          2: P1 P2 Keytimes were the same 3600/3600. Chnged to 7200/3600
          3: Fortigate has a separate area for remote PSK. It looked to be taken from Local PSK, but I hard set anyways.

          I have to do this all over on a different 3601. Ill post up a Fortigate Config and further findings.

          However. Thus far. Looks like TNSR on "wrong" hardware (old sandy bridge, and e1000 nics) is too much for me 1G uplink. Cause my initial easy quick dirty test... ie no parallel flows, single TCP flow. 902mbits. LOL. Looks like Illhave to lab this up in my works vmWare environment and see what can be done with 10g and 25g links....

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You can set asymmetric PSKs in tnsr too.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post