Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, April 15, 2015

Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN
After tested policy based and route based IPSec vpn, this post will do a quick test FortiGate concentrator feature.

The VPN concentrator collects hub-and-spoke tunnels into a group.The concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate unit. The FortiGate unit functions as a concentrator, or hub, in a hub-and-spoke network.

If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires aVPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings ormanual key settings, plus encrypt policies). It also requires a concentratorconfiguration that groups the hub-and-spoke tunnels together. The concentratorconfiguration defines the FortiGate unit as the hub in a hub-and-spoke network.If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (butnot to the other spokes). It also requires policies that control its encrypted connectionsto the other spokes and its non-encrypted connections to other networks, such as theInternet.


FW3 adds into the our previous topology used in route based and policy based vpn labs. FW3 will act as another spoke , same as FW1. FW2 will be the hub , or concentrator.



1. @F3:  Since there is a vpn tunnel built between F1 and F2 from previous lab, the first step is going to build another vpn tunnel between F2 and F3.

Create all local address object and remote address objects. Remote objects will include the protected network by F1 and F2.

Create a new rule to allow local network to remote networks with a new ipsec vpn tunnel. 
Promote the new rule to the top of the list:

2. @F2. Create new policy rules with a new vpn tunnel betwee F2 and F3.

Create new remote network for F3.
Create a couple of new rules to allow local network to access remote F3's network using a new VPN tunnel F2-F3.
Since there are three local networks behind F2, three new rules will be created. 
Note: There is no need to create rule to allow spoke traffic passing among them. 

In the VPN - IPSec - Auto Key (IKE), F2-F3 vpn tunnle profile will be there. 

At this moment, the tunnel between F2 and F3 is configured and should be up from IPSec monitoring tab.

3. Configure F1 for the traffic between two spokes , F1 and F3.

Add F3's protected network into Firewall Objects - Address - Addresses:

Add the new address object into firewall policy rule:

4. Configure concentrator on F2 hub

Create a new Conentrator from VPN- IPSec - Concentrator.
Give F1-F2-F3 as the name, and select both hub-spoke vpn tunnel as the members:

5. Pint Test:

This is the test from F1's local network host Before concentrator configured at F2, ping to timed out.

As soon as Step 4's concentrator configuration done, ping immediately replied.

Tracert result from to
C:\Documents and Settings\test>tracert
Tracing route to over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms
  2     1 ms    <1 ms    <1 ms
  3     1 ms     1 ms     1 ms
Trace complete.

Troubleshooting Commands:

FGT60D # diagnose vpn tunnel stat
dev=0 tunnel=1 proxyid=1 sa=1 conc=0 up=1

FGT60D # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=f1-f2 ver=1 serial=3> lgwy=static tun=tunnel mode                                                                                           =auto bound_if=5
proxyid_num=1 child_num=0 refcnt=8 ilast=3 olast=3
stat: rxp=8 txp=12 rxb=600 txb=720
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=16517
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_f1-f2_tun_ proto=0 sa=1 ref=2 auto_negotiate=1 serial=1
  src: 0:
  dst: 0:
  SA: ref=6 options=0000002f type=00 soft=0 mtu=1412 expire=399 replaywin=1024 s                                                                                           eqno=3
  life: type=01 bytes=0/0 timeout=1777/1800
  dec: spi=1935da05 esp=aes key=32 aa7f520b5457bc16f97c5cfc43483eb1c9b54f853def0                                                                                           8213ca068506f9cb103
       ah=sha1 key=20 b69c401862a7b6320d92e36b0d400f95320852a9
  enc: spi=7b5dfde9 esp=aes key=32 0dbcde0df85b6d31dfdceded16314ff1a4ef9977e8fdb                                                                                           bed655ee9ddd0ccc80c
       ah=sha1 key=20 f6543bd37cfcbd5ccf881340f4b651940b34684d
  dec:pkts/bytes=1/60, enc:pkts/bytes=2/240
  npu_flag=03 npu_rgwy= npu_lgwy= npu_selid=3

FGT60D # diag debug application ike 255

FGT60D # diag debug enable

FGT60D # diaike 0: comes>,ifindex=5....
ike 0: IKEv1 exchange=Informational id=da8b0eb3b674cd8e/c0b55e04f98318f5:ca3cf88                                                                                           1 len=92
ike 0: in DA8B0EB3B674CD8EC0B55E04F98318F508100501CA3CF8810000005C85114C19CFD9A0                                                                                           E3ECE0331A8A6134E1424AD7F8D516523A8D3421F260A17EFFAC75CD4FE3A283CD02832C07B5636B                                                                                           832E8E976E26A2376FA50F77D94B3D7620
ike 0:f2-f1:104: dec DA8B0EB3B674CD8EC0B55E04F98318F508100501CA3CF8810000005C0B0                                                                                           00018A23349616A88AF99FFEB71BDB181733E48597075000000200000000101108D28DA8B0EB3B67                                                                                           4CD8EC0B55E04F98318F5000040B28799820191C3D307
ike 0:f2-f1:104: notify msg received: R-U-THERE
ike 0:f2-f1:104: enc DA8B0EB3B674CD8EC0B55E04F98318F5081005013FB65E04000000540B0                                                                                           00018A3902503765FF73A4AEB0F8D8DBCCC04A0E1BD63000000200000000101108D29DA8B0EB3B67                                                                                           4CD8EC0B55E04F98318F5000040B2
ike 0:f2-f1:104: out DA8B0EB3B674CD8EC0B55E04F98318F5081005013FB65E040000005C7E1                                                                                           54F5BEE4DEB627A700A84B0CB3C0098B5962BFA6CED080EAC0B5BF0E406D2ED7C4EC054B05F97A20                                                                                           4A1B812D946597958233BBBA2D5CB7A2ABA6EFB70B6CE
ike 0:f2-f1:104: sent IKE msg (R-U-THERE-ACK):>, l                                                                                           en=92, id=da8b0eb3b674cd8e/c0b55e04f98318f5:3fb65e04
ike 0:f2-f1: link is idle 5> dpd=1 seqno=40ac
ike 0: comes>,ifindex=5....
ike 0: IKEv1 exchange=Informational id=da8b0eb3b674cd8e/c0b55e04f98318f5:60b967f2 len=92
ike 0: in DA8B0EB3B674CD8EC0B55E04F98318F50810050160B967F20000005CB93CFF645F24AAD1702B89F758E4691C3A67210427BB251023BD3137C605D21D55585C435F25627A09A6242A5C4280EFA4B40E37AEF95224E33308D50465F0F9
ike 0:f2-f1:104: dec DA8B0EB3B674CD8EC0B55E04F98318F50810050160B967F20000005C0B000018F7DB4421DE4D8FE837A092498CC9FC19144E120D000000200000000101108D28DA8B0EB3B674CD8EC0B55E04F98318F5000040B30821732F98702307
ike 0:f2-f1:104: notify msg received: R-U-THERE
ike 0:f2-f1:104: enc DA8B0EB3B674CD8EC0B55E04F98318F508100501C910E3AF000000540B0000189A4BC0E8ACAAD4C3336B442280051149189B1574000000200000000101108D29DA8B0EB3B674CD8EC0B55E04F98318F5000040B3
ike 0:f2-f1:104: out DA8B0EB3B674CD8EC0B55E04F98318F508100501C910E3AF0000005CEC41A52E04D7316299F3DBCE4005D26AE26AFE40F3ADA9ADBF24652041B6836EB942D004846F1B61F528980E9E3B9811CB6AC66B6C6DE439DF98CBC247BA4206
ike 0:f2-f1:104: sent IKE msg (R-U-THERE-ACK):>, len=92, id=da8b0eb3b674cd8e/c0b55e04f98318f5:c910e3af
ike 0:f2-f1: link is idle 5> dpd=1 seqno=40ad
ike shrank heap by 122880 bytes
ike 0: comes>,ifindex=5....
ike 0: IKEv1 exchange=Informational id=da8b0eb3b674cd8e/c0b55e04f98318f5:60199215 len=92
ike 0: in DA8B0EB3B674CD8EC0B55E04F98318F508100501601992150000005C202E2B7EC4FD78A9A47A7BAADC85BBBA1240E38168A3E1FF37450B96DA085B38096EFC3352AF7D457DF3D66674BA6848093BFD670234A7E9AC32297AF7A35F73
ike 0:f2-f1:104: dec DA8B0EB3B674CD8EC0B55E04F98318F508100501601992150000005C0B0000188389BC2895680F8618F031B82FB9DA3FEB9C6769000000200000000101108D28DA8B0EB3B674CD8EC0B55E04F98318F5000040B4B478A703A2351A07
ike 0:f2-f1:104: notify msg received: R-U-THERE
ike 0:f2-f1:104: enc DA8B0EB3B674CD8EC0B55E04F98318F5081005013AB0F2D6000000540B0000182AAE9F0D1D6178FF2826ABD38FCE35A17107CD42000000200000000101108D29DA8B0EB3B674CD8EC0B55E04F98318F5000040B4
ike 0:f2-f1:104: out DA8B0EB3B674CD8EC0B55E04F98318F5081005013AB0F2D60000005C84CD92EF75CD2D72941E654D9C1F27D43038A5D56287736BABF6232A5744E413A2A4AC5FFEEA28AA1A51FAD159536748874E6D7F692750CC060C9619E727DD25
ike 0:f2-f1:104: sent IKE msg (R-U-THERE-ACK):>, len=92, id=da8b0eb3b674cd8e/c0b55e04f98318f5:3ab0f2d6
ike 0:f2-f1: link is idle 5> dpd=1 seqno=40ae

FGT60D # diag debug reset

FGT60D # diag debug disable


No comments:

Post a Comment