I am attempting to establish an IPSEC tunnel between two sites, let's call them A and B. A is behind NAT, and is the initiator. B is the responder. I have used the wizard at both ends to create the tunnel configuration.
I can see packets being sent from A on 500/udp to B, but B is not responding. So, I have done a debug flow on B, and I'm having a bit of trouble understanding the result.
1 2023/09/04 13:04:51 vd-root:0 received a packet(proto=17, A-IP-ADDRESS:46575->B-IP-ADDRESS:500) tun_id=0.0.0.0 from wan2.
2 2023/09/04 13:04:51 allocate a new session-24b1a8ef, tun_id=0.0.0.0
3 2023/09/04 13:04:51 in-[wan2], out-[]
4 2023/09/04 13:04:51 len=0
5 2023/09/04 13:04:51 result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000
6 2023/09/04 13:04:51 find a route: flag=84000000 gw-B-IP-ADDRESS via root
7 2023/09/04 13:04:51 in-[wan2], out-[], skb_flags-02000000, vid-0
8 2023/09/04 13:04:51 gnum-100017, check-ffffffbffc02b5d4
9 2023/09/04 13:04:51 after check: ret-no-match, act-accept, flag-00000000, flag2-00000000
10 2023/09/04 13:04:51 in-[wan2], out-[], skb_flags-02000000, vid-0
11 2023/09/04 13:04:51 gnum-100011, check-ffffffbffc02c540
12 2023/09/04 13:04:51 after check: ret-no-match, act-drop, flag-00000000, flag2-00000000
13 2023/09/04 13:04:51 gnum-100001, check-ffffffbffc02b5d4
14 2023/09/04 13:04:51 checked gnum-100001 policy-1, ret-no-match, act-accept
15 2023/09/04 13:04:51 checked gnum-100001 policy-2, ret-no-match, act-accept
16 2023/09/04 13:04:51 checked gnum-100001 policy-3, ret-no-match, act-accept
17 2023/09/04 13:04:51 checked gnum-100001 policy-4, ret-matched, act-accept
18 2023/09/04 13:04:51 ret-matched
19 2023/09/04 13:04:51 policy-4 is matched, act-drop
20 2023/09/04 13:04:51 gnum-100001 check result: ret-matched, act-drop, flag-08010001, flag2-00000000
21 2023/09/04 13:04:51 after check: ret-matched, act-drop, flag-08010001, flag2-00000000
22 2023/09/04 13:04:51 iprope_in_check() check failed on policy 4, drop
Lines 14 through 18 are understandable, the Fortigate has chosen policy-4 for this traffic. Line 17 shows that the policy is ret-matched and act-accept, so the traffic should be ACCEPTed, right?
But then line 19 doesn't make sense. It says that policy-4 has matched, but that the traffic should be DROPped.
How can this be? Have I just misunderstood the output here?
I am expecting the IPSec traffic to be matched to a policy.
So, I had expected that the policies referred to were Firewall Policy objects, I didn't think to check the Local In Policies.
It just so happens that Firewall Policy 4 is my general "allow internet" policy, which was confusing me. But Local In Policy 4 was some sort of old remnant from an earlier IPSec tunnel I believe. I deleted it and the tunnel sprang up immediately.