ā10-14-2019 11:42 AM
Dear ,
I am facing an issue with connectivity for ipsec vpn with fortigate
see below sh run
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address xxxxx
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer xxxxxxxxx
set transform-set MYSET
match address VPN-TRAFFIC
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address public ip 255.255.xxx.xxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MYMAP
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.2.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
ā10-14-2019 12:37 PM
Hello,
you need to exclude the VPN traffic from being translated. Make the changes marked in bold:
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 permit deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
ā10-14-2019 01:12 PM
Dear George,
Thanks for response..
See below sh run after change configuration
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
still it not works
ā10-14-2019 01:31 PM
Hello,
access-list 101 is not correct. You need to DENY the VPN traffic. It needs to look like this:
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
ā10-14-2019 02:07 PM
Hi,
See below sh run
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
control-plane
Not works..
ā10-14-2019 03:34 PM
1) What output you get when you run the following commands after sending interesting traffic: show crypto isakmp sa, sh crypto ipsec sa?
Run as follows:
ping 192.168.1.1 !(Intersting traffic)
show crypto isakmp sa
show crypto ipsec sa
2) Is the other side configured correctly, for both Phase 1 and Phase 2 as well as interesting traffic (192.168.1.0/24 -> 192.168.2.0/24)?
HTH,
Meheretab
ā10-15-2019 01:26 AM
Dear Mehertab,
see below sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: MYMAP, local addr 37.22xxxx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 94.97.xxxxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4708, #pkts encrypt: 4708, #pkts digest: 4708
#pkts decaps: 3622, #pkts decrypt: 3622, #pkts verify: 3622
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 37.22x.xxxx, remote crypto endpt.: 94.97.xxxxx
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xED619D9D(3982597533)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x18E29847(417503303)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4318169/2677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xED619D9D(3982597533)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 20, flow_id: Onboard VPN:20, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4319651/2677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Second the other side configuration in firewall..
In phase 1 & phase 2 configuration interesting traffic defined well..
ā10-15-2019 01:30 AM
Hello,
in the crypto map, try and set the pfs group:
crypto map MYMAP 10 ipsec-isakmp
set peer xxxxxxxxx
set transform-set MYSET
set pfs group2
match address VPN-TRAFFIC
ā10-15-2019 01:38 AM
Hi George,
Your provided solution works a bit e.g If ping 192.168.1.215 which is connected interface to firewall behind public ip.
But other network ip in same subnet i cant ping..
ā10-15-2019 02:23 AM
Hello,
I guess at this point we need to see the configuration of the Fortigate, can you post this ?
ā10-15-2019 02:50 AM
ā10-15-2019 03:08 AM
Also, check if the local policy on the Fortigate allows ICMP to the local subnet...
ā10-15-2019 03:23 AM
ā10-15-2019 03:32 AM
Post the cli output of:
show full configuration
ā10-15-2019 04:00 AM
See below output of vpn from fortigate cli:
--More-- config vpn ipsec phase1
--More-- end
--More-- config vpn ipsec phase2
--More-- end
--More-- config vpn ipsec manualkey
--More-- end
--More-- config vpn ipsec concentrator
--More-- end
--More-- config vpn ipsec phase1-interface
--More-- edit "ipsec_vpn"
--More-- set type dynamic
--More-- set interface "wan1"
--More-- set ip-version 4
--More-- set ike-version 1
--More-- set local-gw 0.0.0.0
--More-- set keylife 86400
--More-- set authmethod psk
--More-- set mode aggressive
--More-- set peertype any
--More-- set exchange-interface-ip disable
--More-- set mode-cfg enable
--More-- set ipv4-wins-server1 0.0.0.0
--More-- set ipv4-wins-server2 0.0.0.0
--More-- set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
--More-- set add-route enable
--More-- set localid ''
--More-- set localid-type auto
--More-- set negotiate-timeout 30
--More-- set fragmentation enable
--More-- set dpd on-demand
--More-- set forticlient-enforcement disable
--More-- set comments "VPN: ipsec_vpn (Created by VPN wizard)"
--More-- set npu-offload enable
--More-- set dhgrp 14 5
--More-- set suite-b disable
--More-- set wizard-type dialup-forticlient
--More-- set xauthtype auto
--More-- set reauth disable
--More-- set authusrgrp "VPN_User"
--More-- set idle-timeout disable
--More-- set ha-sync-esp-seqno enable
--More-- set auto-discovery-sender disable
--More-- set auto-discovery-receiver disable
--More-- set auto-discovery-forwarder disable
--More-- set nattraversal enable
--More-- set rekey enable
--More-- set enforce-unique-id disable
--More-- set default-gw 0.0.0.0
--More-- set default-gw-priority 0
--More-- set net-device disable
--More-- set tunnel-search selectors
--More-- set assign-ip enable
--More-- set assign-ip-from range
--More-- set ipv4-start-ip 10.10.100.1
--More-- set ipv4-end-ip 10.10.100.254
--More-- set ipv4-netmask 255.255.255.255
--More-- set dns-mode auto
--More-- set ipv4-split-include ''
--More-- set split-include-service ''
--More-- set ipv6-start-ip ::
--More-- set ipv6-end-ip ::
--More-- set ipv6-prefix 128
--More-- set ipv6-split-include ''
--More-- set unity-support enable
--More-- set domain ''
--More-- set banner ''
--More-- set include-local-lan disable
--More-- set save-password enable
--More-- set client-auto-negotiate disable
--More-- set client-keep-alive disable
--More-- set psksecret ENC 1VMgR9aR+tQfOUx8ryw7nSQpQFTuZ1dyJf0VgUflZWT8GL6eUnj8U5kw/MKImjAxipBP4XEl/OXKSVbxqDON5jICDe7DEXnarpjeOCCLCbuXgBOAwh6NOXA3UgDAMlGye9EOhqDZEL/S/zEFMSGL3E3sdL3J8yUf++ieeukqCC/kFn7zI04m4lCvsFS3AZKpA0AiLQ==
--More-- set keepalive 10
--More-- set distance 15
--More-- set priority 0
--More-- set dpd-retrycount 3
--More-- set dpd-retryinterval 20
--More-- next
--More-- edit "IPSEC2CISCO"
--More-- set type static
--More-- set interface "wan1"
--More-- set ip-version 4
--More-- set ike-version 1
--More-- set local-gw 0.0.0.0
--More-- set keylife 86400
--More-- set authmethod psk
--More-- set mode main
--More-- set peertype any
--More-- set passive-mode disable
--More-- set exchange-interface-ip disable
--More-- set mode-cfg disable
--More-- set proposal des-md5
--More-- set localid ''
--More-- set localid-type auto
--More-- set auto-negotiate enable
--More-- set negotiate-timeout 30
--More-- set fragmentation enable
--More-- set dpd on-demand
--More-- set forticlient-enforcement disable
--More-- set comments ''
--More-- set npu-offload enable
--More-- set dhgrp 2
--More-- set suite-b disable
--More-- set wizard-type custom
--More-- set xauthtype disable
--More-- set mesh-selector-type disable
--More-- set idle-timeout disable
--More-- set ha-sync-esp-seqno enable
--More-- set auto-discovery-sender disable
--More-- set auto-discovery-receiver disable
--More-- set auto-discovery-forwarder disable
--More-- set encapsulation none
--More-- set nattraversal disable
--More-- set rekey enable
--More-- set remote-gw 37.224.XXXXXX
--More-- set monitor ''
--More-- set add-gw-route disable
--More-- set psksecret ENC kxfkgIBJNEHF1eAB4udUT9hF5aswKITS8mYw1/7KXUagM84PrStZwEh13CbAXsUKi5Sm7IIaT/qS2zgQIFOD+dJdZuNoekIR1OwFRsLTsl7ZfJAgZxMelhU7eA8LvD7QTYIoFDhClQorqRKIa9tjq3s46pD1hi52YsB2igi1gZqkB18CtX9J13HC+ZYKSGnjuoWLsw==
--More-- set dpd-retrycount 3
--More-- set dpd-retryinterval 20
--More-- next
--More-- end
--More-- config vpn ipsec phase2-interface
--More-- edit "ipsec_vpn"
--More-- set phase1name "ipsec_vpn"
--More-- set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
--More-- set pfs enable
--More-- set dhgrp 14 5
--More-- set replay enable
--More-- set keepalive disable
--More-- set add-route phase1
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set single-source disable
--More-- set route-overlap use-new
--More-- set encapsulation tunnel-mode
--More-- set comments "VPN: ipsec_vpn (Created by VPN wizard)"
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 43200
--More-- set src-subnet 0.0.0.0 0.0.0.0
--More-- set dst-subnet 0.0.0.0 0.0.0.0
--More-- next
--More-- edit "IPSEC2CISCO-p2"
--More-- set phase1name "IPSEC2CISCO"
--More-- set proposal des-md5
--More-- set pfs disable
--More-- set replay enable
--More-- set keepalive disable
--More-- set auto-negotiate disable
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set encapsulation tunnel-mode
--More-- set comments ''
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 3600
--More-- set src-subnet 192.168.1.0 255.255.255.0
--More-- set dst-subnet 192.168.2.0 255.255.255.0
--More-- next
--More-- end
--More-- config vpn ipsec manualkey-interface
--More-- end
--More-- config vpn pptp
--More-- set status disable
--More-- end
--More-- config vpn l2tp
--More-- set eip 0.0.0.0
--More-- set sip 0.0.0.0
--More-- set status disable
--More-- set enforce-ipsec disable
--More-- end
--More-- config vpn ipsec forticlient
--More-- end
--More-- config dnsfilter domain-filter
--More-- end
--More-- config dnsfilter profile
--More-- edit "default"
--More-- set comment "Default dns filtering."
--More-- config domain-filter
--More-- unset domain-filter-table
--More-- end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide