IPsec to Fortinet stops working after some time



  • I think I see the same behaviour, but ONLY when the other site is a Fortigate device and i have three of these on the other site. Other brands seems to work fine.

    Tunnel is up and works for some hours/days and then all of a sudden the data stops flowing over the tunnel.
    Status is still up on both sites, child SA's seems normal except for number of bytes in and out don't change anymore.
    A reconenect from my site or the other site solves the issue for some time again. Log's don't give a real hint in these cases.

    The Fortigate users also claim to only have problems with pfsense, not with other VPN endpoints.

    Maybe someone knows something about pfsene<->Fortigate?



  • Split this to its own thread since it's almost certainly not the same issue as the other thread given it's Fortinet-specific and there are nearly limitless possibilities for rekey issues that end up with the same symptoms.

    What do you have in the IPsec logs at the time it's not working?



  • I think this is the corresponding log fragment when one of the subnets (b.b.b.b) become inoperative after working fine for hours:

    Dec  4 13:29:50 pfSense2 charon: 02[NET] <con5|508>received packet: from x.x.x.x[500] to y.y.y.y[500] (672 bytes)
    Dec  4 13:29:50 pfSense2 charon: 02[ENC] <con5|508>parsed CREATE_CHILD_SA request 45 [ SA No KE TSi TSr ]
    Dec  4 13:29:50 pfSense2 charon: 02[IKE] <con5|508>traffic selectors a.a.a.a/24|/0 === b.b.b.b/24|/0  inacceptable
    Dec  4 13:29:50 pfSense2 charon: 02[IKE] <con5|508>failed to establish CHILD_SA, keeping IKE_SA
    Dec  4 13:29:50 pfSense2 charon: 02[ENC] <con5|508>generating CREATE_CHILD_SA response 45 [ N(TS_UNACCEPT) ]
    Dec  4 13:29:50 pfSense2 charon: 02[NET] <con5|508>sending packet: from y.y.y.y[500] to x.x.x.x[500] (80 bytes)

    This repeats for a while until someone notices the specific subnet is not working and the tunnel is disconnected an reconnected by either the remote or our site.
    After that it's working again for a couple of hours or sometimes even days.</con5|508></con5|508></con5|508></con5|508></con5|508></con5|508>



  • Sounds like you have a support case open on the same issue? Best to continue there, the last thing I told the guys there was to get logs from the Fortinet as to why it's rejecting your traffic selectors. Without seeing logs from the Fortinet side that show why it's rejecting the TS, there's no telling. My gut feel is it's probably a Fortinet rekeying issue, though it could be something else. When you stop the connection, it sends a delete across, which can work around a problem like that on the remote side.



  • Maybe I'm wrong, but as x.x.x.x is the Fortinet and y.y.y.y is Pfsense it seems to me that charon is rejecting the TS from the Fortinet isn't it?
    As I don't control nor own the Fortinet I can't open a support case and I doubt the customer will do so.I Will try to convince him do so and/or try to get my hands on a used Fortinet myself.
    Maybe set the phase2 lifetime longer (same as phase1) can help? Or switch to IKEv1?
    Has anybody here used a Fortinet with Pfsense succesfully and whithout problems?



  • I've got myself a used Fortinet, but now have a hard time to change the serial to my Fortinet account, required for downloading firmware updates, as it still registered to the old owner.
    After that I can do some tests. I'll share the results here.
    @cmb:

    the last thing I told the guys there was to get logs from the Fortinet as to why it's rejecting your traffic selectors. Without seeing logs from the Fortinet side that show why it's rejecting the TS, there's no telling.

    Cmb, do I understand right that you have been in contact with Fortinet about a similar issue?



  • @wickeren:

    Cmb, do I understand right that you have been in contact with Fortinet about a similar issue?

    No, we don't have any ability to get in contact with Fortinet support. I was referencing a support case one of our customers had open, but now that I look closer at this, it doesn't seem to match what I was thinking of (though is similar, this is the opposite side).

    @wickeren:

    Maybe I'm wrong, but as x.x.x.x is the Fortinet and y.y.y.y is Pfsense it seems to me that charon is rejecting the TS from the Fortinet isn't it?

    Correct in this case, yes. This part:
    generating CREATE_CHILD_SA response 45 [ N(TS_UNACCEPT) ]

    is strongswan replying with the TS_UNACCEPT. Does the a.a.a.a/24 and b.b.b.b/24 match what you would expect? It should only generate that response if those subnets don't match the config.

    @wickeren:

    Has anybody here used a Fortinet with Pfsense succesfully and whithout problems?

    Lots of people do. Most of those I've come across use IKEv1 though I know there are many using IKEv2 as well.



  • @cmb:

    Does the a.a.a.a/24 and b.b.b.b/24 match what you would expect? It should only generate that response if those subnets don't match the config.

    It matches perfectly, also in the log fragment it actually fails.
    I just can't understand why it works fine for hours with multiple phase2 rekeyings gone well and then all of a sudden it should not match anymore?
    Can both sites initiatie a phase2 rekey? From what I have seen now it's alway strongswan rejecting the Fortinet TS after a while, but initial the connection works fine initiatited from both sites.

    For one connection I ended up with a phase1 lifetime of 28800 and a phase2 lifetime of 86400. In that case a rekey of phase2 should never happen. So far it seems stable, but only one day had passed so far.


Log in to reply