OCVPN troubleshooting

Leave a reply

Hub-spoke with inter-overlay source NAT troubleshooting

l Primary-Hub # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Primary-Hub

Server Status        : Up

Registration time    : Sat Mar 2 11:31:54 2019

Update time          : Sat Mar 2 13:57:05 2019

Poll time : Sat Mar 2 14:03:31 2019 l Spoke1 # dagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Spoke

Server Status        : Up

Registration time    : Sat Mar 2 13:58:01 2019

Poll time            : Sat Mar 2 14:04:22 2019

l Primary-Hub # diagnose vpn ocvpn show-members

Member: { “sn”: “FG900D3915800083”, “ip_v4”: “172.16.200.4”, “port”: 500, “slot”: 0, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “172.16.101.100-172.16.101.200” }, { “id”: 1, “name”: “PM”, “subnets”: [ “172.16.102.0\/255.255.255.0” ], “ip_range”: “172.16.102.100-172.16.102.200” } ], “name”:

“Primary-Hub”, “topology_role”: “primary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15828488”, “ip_v4”: “172.16.200.2”, “port”: 500, “slot”: 1, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Secondary-

Hub”, “topology_role”: “secondary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FGT51E3U16001314”, “ip_v4”: “172.16.200.3”, “port”: 500, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke2”, “topology_role”: “spoke” }

Member: { “sn”: “FG100D3G15801621”, “ip_v4”: “172.16.200.1”, “port”: 500, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke1”, “topology_role”: “spoke” } l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 4

Max-free :: 3 l Primary-Hub # diagnose vpn ocvpn show-overlays

QA

PM l Spoke1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=3 child_num=0 refcnt=13 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=29 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42299/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42899/43200

dec: spi=0484795d esp=aes key=16 10eeb76fadd49f00c333350d83509095 ah=sha1 key=20 971bde5dcfca7e52fd1573cb3489e9c855f6154e

enc: spi=dfcffaaa esp=aes key=16 d07a4dd683ee093af2dca9485aa436eb ah=sha1 key=20 65369be35d5ecad8cae63557318419cd6005c230

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.0_nat proto=0 sa=1 ref=2 serial=3 auto-negotiate

src: 0:172.16.101.101-172.16.101.101:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42303/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=04847961 esp=aes key=16 ea181036b02e8bc8711fb520b3e98a60

ah=sha1 key=20 b3c449d96d5d3f090975087a62447f6918ce7930

enc: spi=dfcffaac esp=aes key=16 f7ea5e42e9443698e6b8b32161ace40e ah=sha1 key=20 a7e36dd1ec0bdb6eff0aa66e442707427400c700

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.0_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=e 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=10 ilast=599 olast=599 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

proxyid=_OCVPN2-1.0_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=b 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=3 child_num=0 refcnt=13 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=29 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42297/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42897/43200

dec: spi=0484795e esp=aes key=16 106eaa95a2be64b566e7d1ca0aa88f6a ah=sha1 key=20 5dddfba7070b03d5a31931d41db06ff96e7bc542

enc: spi=dfcffaab esp=aes key=16 29c774dbd7e54464ee298c381e71a94e ah=sha1 key=20 c3da7372789c0a53b3752e69baaba1a42d798820

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.1_nat proto=0 sa=1 ref=2 serial=3 auto-negotiate

src: 0:172.16.102.101-172.16.102.101:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42307/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=04847962 esp=aes key=16 b7daa5807cfa86906592a012a9d2478f ah=sha1 key=20 39c8bb4c9e3f1e9e451f22c58a172ff01155055d

enc: spi=dfcffaad esp=aes key=16 2ecc644def4cebe6b0c4b7729da43d8e ah=sha1 key=20 469c6f319e83bd73468f55d430566afcd6215138

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-0.1_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ——————————————————

name=_OCVPN2-1.1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=10 ilast=599 olast=599 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

proxyid=_OCVPN2-1.1_nat proto=0 sa=0 ref=2 serial=2 auto-negotiate

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

l Spoke1 # get router info routing-table all

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.101.101/32 is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.0

C      172.16.102.101/32 is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-0.0

S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1 l Spoke1 # show firewall policy

…………………………

edit 9 set name “_OCVPN2-1.1_nat”

set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666

set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all”

set dstaddr “_OCVPN2-1.1_remote_networks”

set action accept set schedule “always” set service “ALL”

set comments “Generated by OCVPN Cloud Service.” set nat enable

next edit 12 set name “_OCVPN2-1.0_nat”

set uuid 3fafec98-3d36-51e9-80c0-5d99325bad83

set srcintf “any” set dstintf “_OCVPN2-1.0” set srcaddr “all”

set dstaddr “_OCVPN2-1.0_remote_networks”

set action accept set schedule “always” set service “ALL”

set comments “Generated by OCVPN Cloud Service.” set nat enable

next

……………………………


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.