Tunel IPSEC no recibo trafico en la politica reverse

Para temas sobre el uso de las politicas de filtrado en los productos FortiGate.
anatoli
Mensajes: 2
Registrado: 01 Jun 2023, 13:05

Tunel IPSEC no recibo trafico en la politica reverse

Mensaje por anatoli »

Buenas

En primer lugar felicitaros por este gran foro , soy nuevo he estado leyendo bastante y es uno de los foros que mas me gusta.

Tengo un problema con un tunel IPSEC entre dos forti no recivo tarfico de vuelta . He estado mirando a fondo y creo que el problema radica en el forti 2
Ahora esta conecatdo para que tengan conexion entre ellos con una conexion Wimax la cual hace de enlace . Cuando levanto el tunel y en ambos forti deshabilito ruta estatica hacia esa conexion wimax el tunel me levanta pero en ambos extremos tengo ida pero no vuelta .
En el forti 1
SI hago un policylookup hacia la ip destino veo que me la lleva por la politica correcta
EN el Forti 2 no me lo lleva por la salida a internet normal y es mas tengo una ruta estatica la cual veo en gui pero no la veo en cli ni en el routing table
La ruta del forti 2 por mas que la deshabilito sigue saliendo y se va el trafico por ahi S 194.1.0.0/24 [5/0] via 10.10.10.1, lan3

Adjunto algunos datos
FW1



data.png

ike shrank heap by 159744 bytes
ike 0:Ruff_Icma: link is idle 31 80.28.205.28->80.28.205.24:0 dpd=2 seqno=51b rr=0
ike 0:Ruff_Icma:175: send IKEv1 DPD probe, seqno 1307
ike 0:Ruff_Icma:175: enc 1227D3972AAFA5F638A052DDE03F5C7208100501EF192AA5000000540B0000186E998DF05ADF38354CA3DCD0104FC54946153A55000000200000000101108D281227D3972AAFA5F638A052DDE03F5C720000051B
ike 0:Ruff_Icma:175: out 1227D3972AAFA5F638A052DDE03F5C7208100501EF192AA50000005C16CA2247AF06E531F697E947961F46F90C802B556A9F9F1B79F6F3A17A930211D390AC28FDCBB7AE1E0F19DD0F06DAD0CD7948663BAE8D261BC80A69505401DF
ike 0:Ruff_Icma:175: sent IKE msg (R-U-THERE): 80.28.205.28:500->80.28.205.24:500, len=92, vrf=0, id=1227d3972aafa5f6/38a052dde03f5c72:ef192aa5
ike 0: comes 80.28.205.24:500->80.28.205.28:500,ifindex=31,vrf=0....
ike 0: IKEv1 exchange=Informational id=1227d3972aafa5f6/38a052dde03f5c72:d8fd0f19 len=92 vrf=0
ike 0: in 1227D3972AAFA5F638A052DDE03F5C7208100501D8FD0F190000005C6D32AEC02F51CC4BE5428B48D6053A3388D0383A81BD200E751EEBDA5DD1B9C8F1460574AA4F7AFCAC5AC18B18388BBB7F4652F3CA65EB4F62F204A1B658FB9E
ike 0:Ruff_Icma:175: dec 1227D3972AAFA5F638A052DDE03F5C7208100501D8FD0F190000005C0B000018B841F8AF7693ABBFCD8D55D69727D1A27E192776000000200000000101108D291227D3972AAFA5F638A052DDE03F5C720000051BE9363AEA8E22DA07
ike 0:Ruff_Icma:175: notify msg received: R-U-THERE-ACK
ike 0:Ruff_Icma: link is idle 31 80.28.205.28->80.28.205.24:0 dpd=2 seqno=51c rr=0
ike 0:Ruff_Icma:175: send IKEv1 DPD probe, seqno 1308
ike 0:Ruff_Icma:175: enc 1227D3972AAFA5F638A052DDE03F5C720810050110875F96000000540B0000188B303B959F41609C9C8273482873DBCB8E6BC631000000200000000101108D281227D3972AAFA5F638A052DDE03F5C720000051C
ike 0:Ruff_Icma:175: out 1227D3972AAFA5F638A052DDE03F5C720810050110875F960000005C4A69FCDFB81D2DD78F0E5B3B28A66014343AECA83512304B5C5A2501F2FF0C54FE42F3BBFB643E28EF638FA51ADF9E0088639BCDD100D0E2FA727195BF8C544D
ike 0:Ruff_Icma:175: sent IKE msg (R-U-THERE): 80.28.205.28:500->80.28.205.24:500, len=92, vrf=0, id=1227d3972aafa5f6/38a052dde03f5c72:10875f96
ike 0: comes 80.28.205.24:500->80.28.205.28:500,ifindex=31,vrf=0....
ike 0: IKEv1 exchange=Informational id=1227d3972aafa5f6/38a052dde03f5c72:f41e029c len=92 vrf=0
ike 0: in 1227D3972AAFA5F638A052DDE03F5C7208100501F41E029C0000005C8267FBB14AD42A13A6BE91C0579636768B299D96B077C0E8032996FEF14B1FACDA465E90A423EFBBE68A735E599CDF84CBEB99D6A98F1541F30598432AC32FE1
ike 0:Ruff_Icma:175: dec 1227D3972AAFA5F638A052DDE03F5C7208100501F41E029C0000005C0B00001894C12E072E34A6003B08C4101A7B0362ED884164000000200000000101108D291227D3972AAFA5F638A052DDE03F5C720000051C857849FE5F8C9607
ike 0:Ruff_Icma:175: notify msg received: R-U-THERE-ACK
ike 0:Ruff_Icma: link is idle 31 80.28.205.28->80.28.205.24:0 dpd=2 seqno=51d rr=0
ike 0:Ruff_Icma:175: send IKEv1 DPD probe, seqno 1309
ike 0:Ruff_Icma:175: enc 1227D3972AAFA5F638A052DDE03F5C72081005013216E62F000000540B0000182740F9A6466A843BA347B3D63E1A0E362883A871000000200000000101108D281227D3972AAFA5F638A052DDE03F5C720000051D
ike 0:Ruff_Icma:175: out 1227D3972AAFA5F638A052DDE03F5C72081005013216E62F0000005C0C9BAD97BB3C0D91C6EFD4857C27A2776F27CFDE614DE1959FC6473151CB09B4AAC4ECFC8F77D1F841DE197665D9643FDCEFE62C86683BC28319BB357A8F6F6E
ike 0:Ruff_Icma:175: sent IKE msg (R-U-THERE): 80.28.205.28:500->80.28.205.24:500, len=92, vrf=0, id=1227d3972aafa5f6/38a052dde03f5c72:3216e62f
ike 0: comes 80.28.205.24:500->80.28.205.28:500,ifindex=31,vrf=0....
ike 0: IKEv1 exchange=Informational id=1227d3972aafa5f6/38a052dde03f5c72:9f1ce254 len=92 vrf=0
ike 0: in 1227D3972AAFA5F638A052DDE03F5C72081005019F1CE2540000005C67419F1DF889BD5214380DE4A121A04661375699C4C27D68BF27518EA297B33C87641C2037ACC7AF147FF36372B88EB62716AB93A51AB2AD543D5F9131EA47DD
ike 0:Ruff_Icma:175: dec 1227D3972AAFA5F638A052DDE03F5C72081005019F1CE2540000005C0B0000185D656766BA2161DB0A682E704308B6D5F2461105000000200000000101108D291227D3972AAFA5F638A052DDE03F5C720000051DFF74F647A9F08607
ike 0:Ruff_Icma:175: notify msg received: R-U-THERE-ACK

FGT_Ruffini # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.144.1, ppp2, [1/0]
S 10.0.0.0/8 [1/0] via Ruff_Alum tunnel 80.35.249.204, [1/0]
C 10.10.10.0/25 is directly connected, internal4
C 80.28.205.28/32 is directly connected, ppp2
C 192.168.1.0/24 is directly connected, internal3
S 192.168.10.0/24 [10/0] via Ruff_Icma tunnel 80.28.205.24, [1/0]
C 192.168.144.1/32 is directly connected, ppp2
C 194.1.0.0/24 is directly connected, internal





FW 2



[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)

[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)

[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)

ike 0: comes 80.28.205.28:500->80.28.205.24:500,ifindex=21....

ike 0: IKEv1 exchange=Informational id=1227d3972aafa5f6/38a052dde03f5c72:c792434b len=92

ike 0: in 1227D3972AAFA5F638A052DDE03F5C7208100501C792434B0000005CDA5BD17F02E70A31DAAE547438DAA8DE55A081953E1FAA580358CF9BD8CF10531D7DB4114E93ED1F0366DA8F45CF1F05083B09AB0F216D8F4B8EFC03EA40B29C

ike 0:ICMA_RUFF:1086: dec 1227D3972AAFA5F638A052DDE03F5C7208100501C792434B0000005C0B00001808403B7DCAE7B0EC9CEE30E072F5A9115247846B000000200000000101108D281227D3972AAFA5F638A052DDE03F5C72000004F986B3A6E06414C807

ike 0:ICMA_RUFF:1086: notify msg received: R-U-THERE

ike 0:ICMA_RUFF:1086: enc 1227D3972AAFA5F638A052DDE03F5C7208100501C27F78E0000000540B000018F2D81765D33C99650EA250597FC3CD604D80AF10000000200000000101108D291227D3972AAFA5F638A052DDE03F5C72000004F9

ike 0:ICMA_RUFF:1086: out 1227D3972AAFA5F638A052DDE03F5C7208100501C27F78E00000005C848F3501DA3A4223C2F96FB7B63B644B9187BB3DA9874889BD7E760EA36FC83C93AFFC6F9A98183293FF63C042B1A9D8B68EE6DC9FF3051D2CA1F0E697602A54

ike 0:ICMA_RUFF:1086: sent IKE msg (R-U-THERE-ACK): 80.28.205.24:500->80.28.205.28:500, len=92, id=1227d3972aafa5f6/38a052dde03f5c72:c27f78e0



O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default



S* 0.0.0.0/0 [10/0] via 192.168.144.1, ppp1

C 10.10.10.0/25 is directly connected, lan3

C 80.28.205.24/32 is directly connected, ppp1

C 192.168.10.0/24 is directly connected, lan

is directly connected, lan

C 192.168.144.1/32 is directly connected, ppp1

S 194.1.0.0/24 [5/0] via 10.10.10.1, lan3
Responder