FG61F - IPSEC VPN Logs, Where Are They?

VPN
1

I am feeling a bit foolish right now, but I cannot for the life of me find where IPSEC Tunnel logs would be going to on my new Fortigate 61F. I have created an IPSEC Tunnel with matching settings to a peer and it is not coming up. I want to view the IPSEC VPN Logs to determine what the error is.

  • Fortigate 61F
  • 6.4.8 build 1914
  • Log Setting - Log All is enabled
  • I have looked in Log & Report → Events → VPN Events but there is only one log entry for a random inbound VPN request, nothing from my attempts to establish outbound

Can anyone help me figure out where these logs should be?

I appreciate any advice you can provide.

Cheers!

***EDIT***

It was a config issue on the remote side, which I did not have access to. The tunnels are up now. /u/DasToastbrot may have been on to something though as I may not have had the correct policies in place to get the phase1 tunnels to establish initially. The tunnels are up now though, I appreciate all of the comments and suggestions!

2

Did you at the proper interface in the ipsec vpn configuration?

diagnose sniffer packet any “port 500”

diagnose sniffer packet any "port 4500”

diagnose sniffer packet any “host PEER-IP”

Mark up sniffer are running against cpu not the NPU processor.

3

diag debug en

diag debug application ike -1

4

You can also do diag debug app ike-1
Diag vpn Ike log-filter src-addr4 (IP)
Diag debug enable

5

If you have a policy is “log all log events” enabled? Otherwise diag debug sniffer is your friend

6

VPN settings including key life and DH groups (or disable PFS). Also the PSK.
The source and destination selectors in P2 flip depending on what end of the tunnel
Routes to the Remote network pointing at the remote tunnel
Policy inbound and outbound on both sides.
Check Address objects or use any source/destination
All else fails….try NAT-T on both sides

7

I probably messed it up, to be honest :slight_smile: I rebuilt my tunnel using the Wizard and then converted to a custom tunnel type and have made some progress. Phase 1 logs are showing up now as successful. Absolutely nothing for the Phase2 negotiation though. /sigh. I need to get with the remote side and coordinate a bit to see what is going on and make sure they see phase1 coming up too.

8

The interesting thing here is that the debug is showing nothing and I also ran a packet capture to attempt to capture packets and no packets are captured when trying to bring up the IPSEC VPN Tunnel.

9

Ouch, the vpn wizard, not my cup of thee. With the custom vpn settings you are in control about encryption and naming.
Debug for phase 2 is like this:

diagnose vpn tunnel list name PEER-IP

Indeed first check with remote site if phase 2 selectors are the same. Check if you have policy’s in place.

Looking forward. :+1:

10

If you’re not seeing anything, check you routing tables. Make sure you have static routes pointing to the destination subnets using the VPN Interface.

11

Yeah, my Fortigate refuses to make outbound connection attempts for the custom IPSEC tunnel types, only the wizards (afterwhich I can convert to a custom tunnel). I am going to open a ticket with Fortinet on this as it is odd for sure.

12

Don’t forget to create firewall policies that contain the ipsec tunnel as either source or destination interface.

Otherwise the tunnel will NEVER even try to connect!

I bet the wizard creates the policies for you but with custom tunnels you need to do that manually.