FortiOS 5.4.1 IPSec Phase 2 for AutoConf-enabled Phase1 Issue - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, October 25, 2016

FortiOS 5.4.1 IPSec Phase 2 for AutoConf-enabled Phase1 Issue

The Fortigate 60D and 100D were used to build IPSec tunnel between two sites since last year. The Firmware version is 5.2.4 build 668. I were planning to upgrade Fortigate 100D to 5.4.1. The upgrade process were smooth but IPsec tunnel got broken after upgrade.

Fortigate60D IPSec Tunnel Configuration:

Fortigate100D I{Sec Tunnel Configuration:

Unfortunately, the tunnel between 60D and 100D failed to build after upgrade process rebooted the 100D. Based on following troubleshooting commands on 100D device, we found 100D ignored IKE request from 60D because of missing Phase2 proposal configuration.

diag debug reset
diag vpn ike log-filter clear
diag vpn ike log-filter dst-addr4
diag debug console timestamp enable
diag debug application ike -1
diag debug enable 

I tried to put phase 2 on 60D firewall. It shows there is already phase 2 auto configuration from phase 1.

FW-60D(p2) # get
name                : p2 
phase1name          : 
use-natip           : enable 
selector-match      : auto 
proposal            : aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 
pfs                 : enable 
dhgrp               : 14 5 
replay              : enable 
keepalive           : disable 
auto-negotiate      : disable 
keylife-type        : seconds 
encapsulation       : tunnel-mode 
comments            : 
keylifeseconds      : 43200
FW-60D (p2) # set phase1name 
<string>    please input string value
f1-f2 phase1
FW-60D (p2) # set phase1name f1-f2 
FW-60D (p2) # set selector-match 
exact     Match selectors exactly.
subset    Match selectors by subset.
auto      Use subset or exact match depending on selector address type.
FW-60D (p2) # end
For autoconf-enabled phase1, a phase2 is already generated internally.
object set operator error, -5 discard the setting
Command fail. Return code -5

It seems 60D with firmware version 5.2.5 is still using auto-configured IPSec Phase2. But 100D has not had that configuration after upgrade to 5.4.1. Quickly I manually put phase 2 configuration in 100D, the tunnel is up right away.

It seems with newer Firmware version, FortiOS changed their default configuration on IPSec Phase 2. You will have to manually put phase 2 configuration into VPN.

No comments:

Post a Comment