How to debug an IPSEC VPN on a Fortigate CLI

This is a quick reference guide on how to debug an IPSEC VPN on a Fortigate.

1. Check IPSEC traffic

Run a packet sniffer to make sure that traffic is hitting the Fortigate. There are various combinations you can run depending on how many VPN’s you have configured.

diagnose sniffer packet any "port 500"
interfaces=[any]
filters=[port 500]

diagnose sniffer packet any "port 4500"
interfaces=[any]
filters=[port 4500]

diagnose sniffer packet any "port 4500 and host 92.203.x.x"
interfaces=[any]
filters=[port 4500 and host 92.203.x.x]

diagnose sniffer packet any "port 500 and host 92.203.x.x"
interfaces=[any]
filters=[port 500 and host 92.203.x.x]

diagnose sniffer packet any "host 92.203.x.x"
interfaces=[any]
filters=[host 92.203.x.x]

2. Debug the VPN using diagnose debug application ike -1

Replace <Remote_Peer_IP-Address> with the public IP address of the remote device.

diagnose debug reset
diagnose vpn ike log-filter dst-addr4 
diagnose debug application ike -1
diagnose debug enable 

Sample output

ike 0:VPN: connection expiring due to phase1 down
ike 0:VPN: deleting
ike 0:VPN: deleted
ike 0:: schedule auto-negotiate
ike 0:VPN:718429: initiator: main mode is sending 1st message...
ike 0:VPN:718429: cookie c7daf8252121d228/0000000000000000
ike 0:VPN:718429: out C7DAF8252121D22800000000000000000110020000000000000001200D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D500000148299031757A36082C6A621DE00000000
ike 0:VPN:718429: sent IKE msg (ident_i1send): 91.159.x.1x:500->193.x.x.x:500, len=288, id=c7daf8252121d228/0000000000000000

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s