FortiGate VPN Troubleshooting

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and thank you for visiting my channel today I just want to go over how to troubleshoot a VPN on the FortiGate firewall as you can see on the screen the setup is very simple two firewalls are pressing in and trying to salvage the VPN so PCA can communicate with PCB so we have both firewalls here side by side there's nothing to the configuration everything pretty much is people besides obviously the IP in the VPN that was configured using the IPSec which are for the gates provides so as you can see both VPNs on both sides are down there's no activity at the moment if we try to establish traffic and send traffic from pca to PCB this should bring the VPN up and there we go the pin is working in successful that means the VPN is up to monitor IPSec monitor we see the VPN is actually up and now there were some traffic over it if we refresh the page for firewall B it will see the outs on the VPN now it's up so now let's just break stuff I'm going to first change the pre shared key on fire will be currently the the pre shared key is something very simple it's 40 gate I'm going to change the capital G for a lowercase G we're going to accept those changes and see what happens now so the best way to troll your VPN is directly on the CLI we have couple debug so what I like to do is I like to start with a diagnose VPN ie look filter clear that way I can clear any filters that I have for previous troll cheering especially important on production environment and now I'm going to limit that to the pric of the removals I'm interested on which in this case is 4583 206 and now we are going to start with a dear diagnose the application IKEA - so if we retry that previous beam now now working and we see some activity on the power so let me stop this with the diagnose people reset and we were very lucky in the message that we were looking is right here in our face there's a parse error and the firewall is already showing us there is a potential research team mismatch so now we just need to figure out which side is wrong or we type them and that should fix the problem so let me fix that and now we're going to break something else and now we are going to assess that and then for the phase one proposal we're going to change the encryption and authentication algorithm right now for authentication is using md5 we are going to just change that to shadow 56 so now that's change let's start the debug again and oh there we go that was easy so let me stop the debug again reset and let's see what happened so again local yes we see the error right there there was a negotiation error but now we need to determine the Y so if we scroll up a little bit we see there was an in common proposal from firewall B with the following settings right now what we care is that is using for encryption is using that and for authentication is using sha-256 so the firewall is has to match those settings that it's receiving with any of the proposals configure on this thing so right here the firewall a it says my proposals and it's going to list all the proposals you have available to see if it has finds a match remember that we are looking for death and shout 256 so the first proposal is there and define nope that doesn't work then we have death and shut that doesn't work we are kinda sure because we're looking for death and sha-256 the last one is this is Shia again but the group that is using is different so that doesn't work either and that's why we're getting the negotiation error negotiation failure and that's why the VPN is not getting established so let's fix time can break something up now I'm going to do the same type of change but instead of Phase one proposal I'm going to do that change for the proposed phase two proposal and this one is interesting because the debug we will look different if the firewall B is the one trying to initiate this or if it is firewall a the one trying to start the VPN so I'll show both cases so we are going to do exactly the same thing we're going to chain change the authentication from md5 to chapter 56 so let's start the debug again let's go to fire will be and try to establish the VPN so we're going to try to ring it up and remember this time phase two has a proposal mismatch so let's go to this and let's see what happened so as you can see it's very very similar that's what we're looking for the firewall is going to try to match their proposal with the increment incoming proposal and now again we are getting a negotiation failure as before now there's one important actually to in this case different now this one is says IPSec si error that is indicating it's phase two and also if we scroll up a little bit when the proposals are being listed is looking a match for Phase two so that way we think identified these proposals are failing on page two pursues on phase one it says aham PSA error which is different from the eyepieces that we are getting right now right here that's that's one of the differences that we can identify so we we can tell if it is failing on phase one or phase two now let's see what happens if firewall a is the one trying to establish the VPN so I'm going to generate traffic from that side there's going to be activity if you see the activity we are not seeing all the proposals being listed in this case in that because we are just sending the negotiation to firewall be reset perfect let me stop sick ping as well so in this case we are not seeing the proposals being listed because we are not trying to match them is the remote side but we can see that we got a message receive that means firewall be notifying us that there was a no proposal chosen this means that file will be did not find a match for the proposal on Phase two and again that will indicate what was the problem there so now if we fix that again define we save that and let's reattempt the piece and this time issue work to solve the values or fix again they go it took a little bit that was probably the big game being negotiated but now everything is working again so I hope that this video helped you guys to determine where the VPN may be failing and once we dis identify it is easier to address the problem so thanks for watching
Info
Channel: 5 Minute IT
Views: 5,985
Rating: undefined out of 5
Keywords: fortigate, fortinet, nse4
Id: 02OrOjLatV0
Channel Id: undefined
Length: 9min 27sec (567 seconds)
Published: Thu Jun 04 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.