Dear George,

Thanks for response..

See below sh run after change configuration

ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!

still it not works

Hello,

access-list 101 is not correct. You need to DENY the VPN traffic. It needs to look like this:

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

Hi,

See below sh run

ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
control-plane

Not works..

1) What output you get when you run the following commands after sending interesting traffic:  show crypto isakmp sa,  sh crypto ipsec sa?

Run as follows:

ping 192.168.1.1 !(Intersting traffic)

show crypto isakmp sa

show crypto ipsec sa

2) Is the other side configured correctly, for both Phase 1 and Phase 2 as well as interesting traffic (192.168.1.0/24 -> 192.168.2.0/24)?

HTH,

Meheretab

Dear Mehertab,

see below sh crypto ipsec sa

interface: FastEthernet4
Crypto map tag: MYMAP, local addr 37.22xxxx

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 94.97.xxxxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4708, #pkts encrypt: 4708, #pkts digest: 4708
#pkts decaps: 3622, #pkts decrypt: 3622, #pkts verify: 3622
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 37.22x.xxxx, remote crypto endpt.: 94.97.xxxxx
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xED619D9D(3982597533)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x18E29847(417503303)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4318169/2677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xED619D9D(3982597533)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 20, flow_id: Onboard VPN:20, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4319651/2677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Second the other side configuration in firewall..

In phase 1 & phase 2 configuration interesting traffic defined well..

Hello,

in the crypto map, try and set the pfs group:

crypto map MYMAP 10 ipsec-isakmp
set peer xxxxxxxxx
set transform-set MYSET

set pfs group2
match address VPN-TRAFFIC

Hi George,

Your provided solution works a bit e.g If ping 192.168.1.215 which is connected interface to firewall behind public ip.

But other network ip in same subnet i cant ping..

Hello,

I guess at this point we need to see the configuration of the Fortigate, can you post this ?

Yes george see the attach images for fortigate config

Also, check if the local policy on the Fortigate allows ICMP to the local subnet...

YEs its allowed for all 

Post the cli output of:

show full configuration

See below output of vpn from fortigate cli:

 --More-- config vpn ipsec phase1
--More-- end
--More-- config vpn ipsec phase2
--More-- end
--More-- config vpn ipsec manualkey
--More-- end
--More-- config vpn ipsec concentrator
--More-- end
--More-- config vpn ipsec phase1-interface
--More-- edit "ipsec_vpn"
--More-- set type dynamic
--More-- set interface "wan1"
--More-- set ip-version 4
--More-- set ike-version 1
--More-- set local-gw 0.0.0.0
--More-- set keylife 86400
--More-- set authmethod psk
--More-- set mode aggressive
--More-- set peertype any
--More-- set exchange-interface-ip disable
--More-- set mode-cfg enable
--More-- set ipv4-wins-server1 0.0.0.0
--More-- set ipv4-wins-server2 0.0.0.0
--More-- set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
--More-- set add-route enable
--More-- set localid ''
--More-- set localid-type auto
--More-- set negotiate-timeout 30
--More-- set fragmentation enable
--More-- set dpd on-demand
--More-- set forticlient-enforcement disable
--More-- set comments "VPN: ipsec_vpn (Created by VPN wizard)"
--More-- set npu-offload enable
--More-- set dhgrp 14 5
--More-- set suite-b disable
--More-- set wizard-type dialup-forticlient
--More-- set xauthtype auto
--More-- set reauth disable
--More-- set authusrgrp "VPN_User"
--More-- set idle-timeout disable
--More-- set ha-sync-esp-seqno enable
--More-- set auto-discovery-sender disable
--More-- set auto-discovery-receiver disable
--More-- set auto-discovery-forwarder disable
--More-- set nattraversal enable
--More-- set rekey enable
--More-- set enforce-unique-id disable
--More-- set default-gw 0.0.0.0
--More-- set default-gw-priority 0
--More-- set net-device disable
--More-- set tunnel-search selectors
--More-- set assign-ip enable
--More-- set assign-ip-from range
--More-- set ipv4-start-ip 10.10.100.1
--More-- set ipv4-end-ip 10.10.100.254
--More-- set ipv4-netmask 255.255.255.255
--More-- set dns-mode auto
--More-- set ipv4-split-include ''
--More-- set split-include-service ''
--More-- set ipv6-start-ip ::
--More-- set ipv6-end-ip ::
--More-- set ipv6-prefix 128
--More-- set ipv6-split-include ''
--More-- set unity-support enable
--More-- set domain ''
--More-- set banner ''
--More-- set include-local-lan disable
--More-- set save-password enable
--More-- set client-auto-negotiate disable
--More-- set client-keep-alive disable
--More-- set psksecret ENC 1VMgR9aR+tQfOUx8ryw7nSQpQFTuZ1dyJf0VgUflZWT8GL6eUnj8U5kw/MKImjAxipBP4XEl/OXKSVbxqDON5jICDe7DEXnarpjeOCCLCbuXgBOAwh6NOXA3UgDAMlGye9EOhqDZEL/S/zEFMSGL3E3sdL3J8yUf++ieeukqCC/kFn7zI04m4lCvsFS3AZKpA0AiLQ==
--More-- set keepalive 10
--More-- set distance 15
--More-- set priority 0
--More-- set dpd-retrycount 3
--More-- set dpd-retryinterval 20
--More-- next
--More-- edit "IPSEC2CISCO"
--More-- set type static
--More-- set interface "wan1"
--More-- set ip-version 4
--More-- set ike-version 1
--More-- set local-gw 0.0.0.0
--More-- set keylife 86400
--More-- set authmethod psk
--More-- set mode main
--More-- set peertype any
--More-- set passive-mode disable
--More-- set exchange-interface-ip disable
--More-- set mode-cfg disable
--More-- set proposal des-md5
--More-- set localid ''
--More-- set localid-type auto
--More-- set auto-negotiate enable
--More-- set negotiate-timeout 30
--More-- set fragmentation enable
--More-- set dpd on-demand
--More-- set forticlient-enforcement disable
--More-- set comments ''
--More-- set npu-offload enable
--More-- set dhgrp 2
--More-- set suite-b disable
--More-- set wizard-type custom
--More-- set xauthtype disable
--More-- set mesh-selector-type disable
--More-- set idle-timeout disable
--More-- set ha-sync-esp-seqno enable
--More-- set auto-discovery-sender disable
--More-- set auto-discovery-receiver disable
--More-- set auto-discovery-forwarder disable
--More-- set encapsulation none
--More-- set nattraversal disable
--More-- set rekey enable
--More-- set remote-gw 37.224.XXXXXX
--More-- set monitor ''
--More-- set add-gw-route disable
--More-- set psksecret ENC kxfkgIBJNEHF1eAB4udUT9hF5aswKITS8mYw1/7KXUagM84PrStZwEh13CbAXsUKi5Sm7IIaT/qS2zgQIFOD+dJdZuNoekIR1OwFRsLTsl7ZfJAgZxMelhU7eA8LvD7QTYIoFDhClQorqRKIa9tjq3s46pD1hi52YsB2igi1gZqkB18CtX9J13HC+ZYKSGnjuoWLsw==
--More-- set dpd-retrycount 3
--More-- set dpd-retryinterval 20
--More-- next
--More-- end
--More-- config vpn ipsec phase2-interface
--More-- edit "ipsec_vpn"
--More-- set phase1name "ipsec_vpn"
--More-- set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
--More-- set pfs enable
--More-- set dhgrp 14 5
--More-- set replay enable
--More-- set keepalive disable
--More-- set add-route phase1
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set single-source disable
--More-- set route-overlap use-new
--More-- set encapsulation tunnel-mode
--More-- set comments "VPN: ipsec_vpn (Created by VPN wizard)"
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 43200
--More-- set src-subnet 0.0.0.0 0.0.0.0
--More-- set dst-subnet 0.0.0.0 0.0.0.0
--More-- next
--More-- edit "IPSEC2CISCO-p2"
--More-- set phase1name "IPSEC2CISCO"
--More-- set proposal des-md5
--More-- set pfs disable
--More-- set replay enable
--More-- set keepalive disable
--More-- set auto-negotiate disable
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set encapsulation tunnel-mode
--More-- set comments ''
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 3600
--More-- set src-subnet 192.168.1.0 255.255.255.0
--More-- set dst-subnet 192.168.2.0 255.255.255.0
--More-- next
--More-- end
--More-- config vpn ipsec manualkey-interface
--More-- end
--More-- config vpn pptp
--More-- set status disable
--More-- end
--More-- config vpn l2tp
--More-- set eip 0.0.0.0
--More-- set sip 0.0.0.0
--More-- set status disable
--More-- set enforce-ipsec disable
--More-- end
--More-- config vpn ipsec forticlient
--More-- end
--More-- config dnsfilter domain-filter
--More-- end
--More-- config dnsfilter profile
--More-- edit "default"
--More-- set comment "Default dns filtering."
--More-- config domain-filter
--More-- unset domain-filter-table
--More-- end