Hi,
I have a VPN ipsec tunnel that was working for few months.
server1 - Vyatta ↔ Forti FW - server2
Recently traffic stopped.
The tunnel shows as up in Forti FW and vyatta.
When I try to ping from a server1 that is connected to vyatta to server2, i see only request without a reply.
Using traceroute i can see that the last hop is the vyatta server.
Keep in mind that this tunnel was working for a few month, no one touched the configurations.
In order to make it work again (only for a few hours), im connecting to the Forti CLI and run ‘execute ping vyatta server’, there is no reply from the vayyta server, but traffic seems to work again:
server1 icmp reply successfully to server2.
once again this holds only for 1-4 hours.
Part of the configuration:
(i changed all the ips)
interfaces {
ethernet eth0 {
address 192.168.147.1/24
description Internal(LAN)
duplex auto
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.10.10.1/24
description External(WAN)
duplex auto
smp_affinity auto
speed auto
}
loopback lo {
}
vti vti1 {
address 10.11.3.9/30
description va1-p-fw-tunnel-01
mtu 1436
}
}vpn {
ipsec {
esp-group ctcolo {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group ctcolo {
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 192.167.141.133 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description va1-p-fw-tunnel-01
ike-group ctcolo
ikev2-reauth inherit
local-address 10.10.10.3
vti {
bind vti1
esp-group ctcolo
}
}
}
}
}