Problem with IPSec VPN tunnel to remote site

Hi experts,

We need to setup an IPSec VPN tunnel to a remote site. Other remote site hardware is unkown, but we do know the IPSec settings. Phase 1 and Phase 2 have been configured and firewall policies are defined.

In our Fortigate logs we get this during a setup of the tunnel:

error       dpd                   IPsec connection failure on the tunnel to <remote ip>:500       dpd_failure       
notice      negotiate             Initiator: tunnel <remote ip>, transform=ESP_AES, HMAC_SHA1       success
notice       negotiate             Initiator: sent <remote ip> quick mode message #2 (DONE)       success
notice       install_sa             Initiator: tunnel <local ip>/<remote ip> install ipsec sa       
notice       negotiate             Initiator: sent <remote ip> quick mode message #1 (OK)             success       
notice       negotiate             Initiator: parsed <remote ip> main mode message #3 (DONE)       success
notice       negotiate             Initiator: sent <remote ip> main mode message #3 (OK)             success
notice       negotiate             Initiator: sent <remote ip> main mode message #2 (OK)             success
notice       negotiate             Initiator: sent <remote ip> main mode message #1 (OK)             success
notice       delete_phase1_sa       Deleted an Isakmp SA on the tunnel to <remote ip>:500


The dpd_failure message has id 23011. According to fortigate this means:
1.11. Message ID: 23011
Message:       loc_ip=<local_ipaddress> loc_port=<local_port> rem_ip=<> rem_port=<> out_if=<> vpn_tunnel=<ip_address> cookies=<> action=dpd status=dpd_failure msg="IPSec connection failure"
Meaning:       IPSec connection failure.

(see url http://kc.forticare.com/print.asp?id=3271&Lang=1&SID=)

The problem is here we need a deeper analysis of what exactly is going wrong.
dpd_failure = dead peer detected failure, but since it's replying on the first phases, the Fortigate can reach the other site.

Anyone a suggestion?

thanks,
Pieter
techneitsolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
Although I am not too familiar with Fortigate, I think the remote end is behind a NAT device or is not responding with HELLO or ACK to your device, as a result your device thinks that the remote end is dead and reinitiates the SA.

Looking at the logs, Phase I and Phase II completes; after this, there is no transmit of traffic over the VPN tunnel and your device checks to see of the remote peer is alive (dpd); it send packets does not get any HELLO or ACK and thinks that the remote peer is actually dead, bringing down the negotiated SA.

I would suggest you to get some details about the remote device. Also, if possible to deactivate dpd on fortigate, you might re-enable dpd later.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
techneitsolutionsAuthor Commented:
Must be something between the fortigate and the remote device, since i've tried settings up a second tunnel for testing purpose. With the same settings between two fortigate devices. This worked from the moment i activated the tunnel.

So i'll try your advice and disabled the dpd check.

I know the remote device is not a Fortigate, but i'll see i can get some more information soon.
0
techneitsolutionsAuthor Commented:
Okay this did solve the problem.

I also found someone with the same problem between a Fortigate and a Cisco. He also had to disable dtd on the Fortigate so that the VPN tunnel would become operational.

0
dpk_walCommented:
Thank you for the info it would help everyone! :)
0
ntypeCommented:
I am going for a wild guess but did you defined a firewall rule to allow some or all protocols, depending of your needs  (with rule ENCRYPT) the traffic flowing from site A to site B once the connection has been established ?

Clearly the dead peer detection could be a cause of lost syncs, however if you don't setup a firewall rule the connexion isn't going to be maintained just after phase I and II.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.