For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.6 > IPsec Not Passing Packets

IPsec Not Passing Packets

Created by dave. Last edited by dave, 85 days ago. Viewed 167 times. #1
[edit] [rdf]
labels
attachments
(2019-09-12)

Problem

IPsec tunnel to another device (in this case, a Watchguard). Tunnel shows as being up on all phase2 definitions, but no packets pass.

Diagnostics

Some exchanges appear to work, for example the IKE/IPsec negotiations and DPD communications.

Packet traces on the Fortigate show packets coming in on the tunnel, and the replies from the local target coming back to the firewall and then being encrypted and sent out. However the remote end acts like that packet never gets there.

Connections initiated from the local side show outbound packets getting encrypted and transmitted; however, again, the remote end acts like that packet never gets there. (Tracing on the Watchguard appears inferior to the abilities on the Fortigate.)

Highly Specific Local Solution

ISP at the local end provided an Arris modem of some kind that had an IPsec Application Layer Gateway (ALG) enabled on it. Even though the modem was not in NAT mode, it was still molesting outbound packets on the way out, (SPECULATION:) presumably in such a way that they would look corrupted when they arrived at the far end; because the Watchguard wasn't configured to let us know such a thing, they were silently discarded (/SPECULATION).

Anyways, turn that ALG shit off and it worked immediately.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt