IKE 500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IKE 500

L4 Transporter

Here is some traffic being sent from my DMZ to the internet and I am trying to determine whats happening. How would the community read this information

Session          192980

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.244
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                pbf rule:    Fedline 12

        s2c flow:
                source:      199.169.208.244 [Outside]
                dst:         66.94.196.101
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                    : Tue Jun 17 14:25:00 2014
        timeout                       : 600 sec
        time to live                  : 600 sec
        total byte count(c2s)         : 7012782
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 23853
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1)
        layer7 processing             : completed
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : False
        captive portal session        : False
        ingress interface             : vlan.999
        egress interface              : ethernet1/3
        session QoS rule              : N/A (class 4)
        session tracker stage l7proc  : ctd err sw

32 REPLIES 32

Hello Infotech,

It seems the IKE packet is getting NAT'd. So, the remote-identity on the peer device should have the NAT'd IP, not the actual IP address-172.17.1.5.

Could you please confirm this. Also, could you please brief about the PBF rule.

Thanks

My pbf is this

Source

source zone is DR-DMZ

Source address is 172.17.1.5

Source user - any

Destination/Application/Service

Destination address is - any

Application - any

Service is - any

Forwarding

Action - forward

Egress interface - ethernet1/3

Next hop is 66.94.196.107

Nat policy rule

Original packet

Source zone

DR-DMZ

Outside

Destination Zone

outside

Destination interface

any

Service

any

Source address

172.17.1.5

Translated packet

static IP

translated address 66.94.196.101

Bi-directional

Hello Infotech,

Would it be possible to do a small test:

- Set the PAN as VPN initiator.

-Create a new NAT policy ( on the top of the policy table) to interface IP ( ethernet-1/3) only from source 172.17.1.5

-Initiate the VPN with CLI command >test vpn ike-sa gateway GTW-NAME

--Then check system logs for VPN.

Thanks

Sure I can give that a try and will let you know the result when I have completed this test

Where do you set the PA as intiator?

If you apply >test vpn ike-sa gateway GTW-NAME, it will be acting as an initiator. Just double check "passive-mode" check-box is not checked.

Thanks

Okay since it is a fortinet device that is suppose to create the vpn tunnel I am not sure I have a gateway to do the test vpn ike-sa

OK, If Fortinet FW is is the VPN initiator, then look at the "system" , "ike-mgr" logs to ensure PAN is receiving the IKE packets and responding back.

Thanks

L4 Transporter

Is there a way to prove that the traffice is making it past the firewall and into the internet?

I'd do a packet capture using the transmit stage.  Also enter a drop stage capture too and check both resultant files.

I have done packet captures it transmits and there are no drops. So that means it is reaching the internet?

How can

I tell from the ike-mgr and system logs that the pan is receiving ike responses? My understanding is the fortinet behind tha PAN is the initiator

Hello Infotech,

System logs should show the received IKE messages with responder cookies as 00000000.

Thanks

So do I look under monitor->system and then filter by ike?

Yes, you are correct. (You may also check ike-mgr logs for more detail info.)

Thanks

  • 11804 Views
  • 32 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!