Fortinet black logo

Handbook

Troubleshooting GRE over IPsec

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:793758
Download PDF

Troubleshooting GRE over IPsec

This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.

Quick checks

Here is a list of common problems and what to verify.

Problem

What to check

No communication with remote
network.

Use the execute ping command to ping the Cisco device public interface.

Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up.

IPsec tunnel does not come up.

Check the logs to determine whether the failure is in Phase 1 or Phase 2.

Check that the encryption and authentication settings match those on the Cisco device.

Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode.

Tunnel connects, but there is no
communication.

Check the security policies. See Troubleshooting GRE over IPsec.

Check routing. See Troubleshooting GRE over IPsec.

Setting up logging

Configuring FortiGate logging for IPsec
  1. Go to Log & Report > Log Settings.
  2. Select the Event Logging.
  3. Select VPN activity event.
  4. Select Apply.
Viewing FortiGate logs
  1. Go to Log & Report > VPN Events.
  2. Select the log storage type.
  3. Select Refresh to view any logged events.

GRE tunnel keepalives

In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):

config firewall policy

edit < id >

set srcintf "gre"

set dstintf "port1"

set srcaddr "1.1.1.1"

set dstaddr "2.2.2.2"

set action accept

set schedule "always"

set service "GRE"

next

end

Cisco compatible keep-alive support for GRE

The FortiGate can send a GRE keepalive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Configuring keepalive query - CLI:

config system gre-tunnel

edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next

end

GRE tunnel with multicast traffic

If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.

  • To configure a multicast policy, use the config firewall multicast-policy command.
  • To enable multicast forwarding, use the following commands:

config system settings

set multicast-forward enable

end

Using diagnostic commands

There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.

Using the packet sniffer - CLI:
  1. Enter the following CLI command:
  2. diag sniff packet any icmp 4

  3. Ping an address on the network behind the FortiGate unit from the network behind the Cisco router.

    The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:
  4. 114.124303 gre1 in 10.0.1.2 -> 10.11.101.10: icmp: echo request

    114.124367 port2 out 10.0.1.2 -> 10.11.101.10: icmp: echo request

    114.124466 port2 in 10.11.101.10 -> 10.0.1.2: icmp: echo reply

    114.124476 gre1 out 10.11.101.10 -> 10.0.1.2: icmp: echo reply

  5. Enter CTRL-C to stop the sniffer.
Viewing debug output for IKE - CLI:
  1. Enter the following CLI commands
  2. diagnose debug application ike -1

    diagnose debug enable

  3. Attempt to use the VPN or set up the VPN tunnel and note the debug output.
  4. Enter CTRL-C to stop the debug output.
  5. Enter the following command to reset debug settings to default:
  6. diagnose debug reset

Troubleshooting GRE over IPsec

This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.

Quick checks

Here is a list of common problems and what to verify.

Problem

What to check

No communication with remote
network.

Use the execute ping command to ping the Cisco device public interface.

Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up.

IPsec tunnel does not come up.

Check the logs to determine whether the failure is in Phase 1 or Phase 2.

Check that the encryption and authentication settings match those on the Cisco device.

Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode.

Tunnel connects, but there is no
communication.

Check the security policies. See Troubleshooting GRE over IPsec.

Check routing. See Troubleshooting GRE over IPsec.

Setting up logging

Configuring FortiGate logging for IPsec
  1. Go to Log & Report > Log Settings.
  2. Select the Event Logging.
  3. Select VPN activity event.
  4. Select Apply.
Viewing FortiGate logs
  1. Go to Log & Report > VPN Events.
  2. Select the log storage type.
  3. Select Refresh to view any logged events.

GRE tunnel keepalives

In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):

config firewall policy

edit < id >

set srcintf "gre"

set dstintf "port1"

set srcaddr "1.1.1.1"

set dstaddr "2.2.2.2"

set action accept

set schedule "always"

set service "GRE"

next

end

Cisco compatible keep-alive support for GRE

The FortiGate can send a GRE keepalive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Configuring keepalive query - CLI:

config system gre-tunnel

edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next

end

GRE tunnel with multicast traffic

If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.

  • To configure a multicast policy, use the config firewall multicast-policy command.
  • To enable multicast forwarding, use the following commands:

config system settings

set multicast-forward enable

end

Using diagnostic commands

There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.

Using the packet sniffer - CLI:
  1. Enter the following CLI command:
  2. diag sniff packet any icmp 4

  3. Ping an address on the network behind the FortiGate unit from the network behind the Cisco router.

    The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:
  4. 114.124303 gre1 in 10.0.1.2 -> 10.11.101.10: icmp: echo request

    114.124367 port2 out 10.0.1.2 -> 10.11.101.10: icmp: echo request

    114.124466 port2 in 10.11.101.10 -> 10.0.1.2: icmp: echo reply

    114.124476 gre1 out 10.11.101.10 -> 10.0.1.2: icmp: echo reply

  5. Enter CTRL-C to stop the sniffer.
Viewing debug output for IKE - CLI:
  1. Enter the following CLI commands
  2. diagnose debug application ike -1

    diagnose debug enable

  3. Attempt to use the VPN or set up the VPN tunnel and note the debug output.
  4. Enter CTRL-C to stop the debug output.
  5. Enter the following command to reset debug settings to default:
  6. diagnose debug reset