10-14-2019 11:42 AM
Dear ,
I am facing an issue with connectivity for ipsec vpn with fortigate
see below sh run
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address xxxxx
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer xxxxxxxxx
set transform-set MYSET
match address VPN-TRAFFIC
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address public ip 255.255.xxx.xxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MYMAP
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.2.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 public ip
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
10-15-2019 04:51 AM
Hello,
it looks like there is a mismatch in the DH group, your Forigate uses group 14, wihile the Cisco uses 2. Change th Cisco to:
crypto isakmp policy 10
hash md5
authentication pre-share
--> group 14
crypto isakmp key xxxx address xxxxx
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode tunnel
!
crypto map MYMAP 10 ipsec-isakmp
set peer xxxxxxxxx
set transform-set MYSET
--> set pfs group14
match address VPN-TRAFFIC
10-15-2019 05:12 AM
Hi,
Only able to ping firewall ip which is behind nat 192.168.1.215 ,unable to ping other ip from network..might be acl issue here.
crypto isakmp policy 10
hash md5
authentication pre-share
group 14
crypto isakmp key xxxxx address 94.97.xxx
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer 94.97.xxx
set transform-set MYSET
set pfs group14
match address VPN-TRAFFIC
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 37.224xxx
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
10-15-2019 05:28 AM
Hello,
you have several VPN configs on your Fortigate, which one is the one connecting to the Cisco ? One has pfs disabled and no group, but the correct source and destination network. The other has pfs enabled and group 14 configured, but no source and destination network...
More-- edit "ipsec_vpn"
--More-- set phase1name "ipsec_vpn"
--More-- set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
--More-- set pfs enable
--More-- set dhgrp 14 5
--More-- set replay enable
--More-- set keepalive disable
--More-- set add-route phase1
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set single-source disable
--More-- set route-overlap use-new
--More-- set encapsulation tunnel-mode
--More-- set comments "VPN: ipsec_vpn (Created by VPN wizard)"
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 43200
--More-- set src-subnet 0.0.0.0 0.0.0.0
--More-- set dst-subnet 0.0.0.0 0.0.0.0
--More-- next
--More-- edit "IPSEC2CISCO-p2"
--More-- set phase1name "IPSEC2CISCO"
--More-- set proposal des-md5
--More-- set pfs disable
--More-- set replay enable
--More-- set keepalive disable
--More-- set auto-negotiate disable
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set encapsulation tunnel-mode
--More-- set comments ''
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 3600
--More-- set src-subnet 192.168.1.0 255.255.255.0
--More-- set dst-subnet 192.168.2.0 255.255.255.0
--More-- next
--More-- end
--More-- config vpn ipsec manualkey-interface
--More-- end
--More-- config vpn pptp
--More-- set status disable
--More-- end
--More-- config vpn l2tp
--More-- set eip 0.0.0.0
--More-- set sip 0.0.0.0
--More-- set status disable
--More-- set enforce-ipsec disable
--More-- end
--More-- config vpn ipsec forticlient
--More-- end
--More-- config dnsfilter domain-filter
--More-- end
--More-- config dnsfilter profile
--More-- edit "default"
--More-- set comment "Default dns filtering."
--More-- config domain-filter
--More-- unset domain-filter-table
--More-- end
10-15-2019 06:02 AM
Hi George,
Yes we are using other vpn as well.
Kindly see specific for cisco to Fortigate config
-More-- edit "IPSEC2CISCO"
--More-- set vdom "root"
--More-- set distance 5
--More-- set dhcp-relay-service disable
--More-- set ip 0.0.0.0 0.0.0.0
--More-- unset allowaccess
--More-- set arpforward enable
--More-- set broadcast-forward disable
--More-- set bfd global
--More-- set icmp-redirect enable
--More-- set ips-sniffer-mode disable
--More-- set ident-accept disable
--More-- set ipmac disable
--More-- set status up
--More-- set netbios-forward disable
--More-- set wins-ip 0.0.0.0
--More-- set type tunnel
--More-- set netflow-sampler disable
--More-- set sflow-sampler disable
--More-- set scan-botnet-connections disable
--More-- set src-check enable
--More-- set sample-rate 2000
--More-- set polling-interval 20
--More-- set sample-direction both
--More-- set tcp-mss 0
--More-- set inbandwidth 0
--More-- set outbandwidth 0
--More-- set spillover-threshold 0
--More-- set ingress-spillover-threshold 0
--More-- set weight 0
--More-- set external disable
--More-- set remote-ip 0.0.0.0 0.0.0.0
--More-- set description ''
--More-- set alias ''
--More-- set l2tp-client disable
--More-- set security-mode none
--More-- set fortiheartbeat disable
--More-- set estimated-upstream-bandwidth 0
--More-- set estimated-downstream-bandwidth 0
--More-- set role undefined
--More-- set snmp-index 12
--More-- set preserve-session-route disable
--More-- set auto-auth-extension-device disable
--More-- set ap-discover enable
--More-- config ipv6
--More-- set ip6-mode static
--More-- set nd-mode basic
--More-- set ip6-address ::/0
--More-- unset ip6-allowaccess
--More-- set ip6-reachable-time 0
--More-- set ip6-retrans-time 0
--More-- set ip6-hop-limit 0
--More-- set dhcp6-prefix-delegation disable
--More-- set dhcp6-information-request disable
--More-- set ip6-send-adv disable
--More-- set autoconf disable
--More-- set dhcp6-relay-service disable
--More-- end
edit "IPSEC2CISCO"
--More-- set type static
--More-- set interface "wan1"
--More-- set ip-version 4
--More-- set ike-version 1
--More-- set local-gw 0.0.0.0
--More-- set keylife 86400
--More-- set authmethod psk
--More-- set mode main
--More-- set peertype any
--More-- set passive-mode disable
--More-- set exchange-interface-ip disable
--More-- set mode-cfg disable
--More-- set proposal des-md5
--More-- set localid ''
--More-- set localid-type auto
--More-- set auto-negotiate enable
--More-- set negotiate-timeout 30
--More-- set fragmentation enable
--More-- set dpd on-demand
--More-- set forticlient-enforcement disable
--More-- set comments ''
--More-- set npu-offload enable
--More-- set dhgrp 2
--More-- set suite-b disable
--More-- set wizard-type custom
--More-- set xauthtype disable
--More-- set mesh-selector-type disable
--More-- set idle-timeout disable
--More-- set ha-sync-esp-seqno enable
--More-- set auto-discovery-sender disable
--More-- set auto-discovery-receiver disable
--More-- set auto-discovery-forwarder disable
--More-- set encapsulation none
--More-- set nattraversal disable
--More-- set rekey enable
--More-- set remote-gw 37.224.xxx
--More-- set monitor ''
--More-- set add-gw-route disable
--More-- set psksecret ENC B3eEjBX8n3/g2Ja6rW1ITWYUnsyVCW0bZzlK3XZ98mYpWlTiysSMFXFNSkKzqOlpJ2cj6BiN4Y0h1o6/A22msyIaBGiANzPkL+758fJiXYfzIzsEG9eseBQoi+HkT4eii6aBZUYu9mO0edAkBSYapyQTAEj1+dqDiPfpjI4RVG3uVT+YoinHSK9Nr0mvDr4gQIE8AA==
--More-- set dpd-retrycount 3
--More-- set dpd-retryinterval 20
--More-- next
--More-- end
edit "IPSEC2CISCO-p2"
--More-- set phase1name "IPSEC2CISCO"
--More-- set proposal des-md5
--More-- set pfs disable
--More-- set replay enable
--More-- set keepalive disable
--More-- set auto-negotiate disable
--More-- set auto-discovery-sender phase1
--More-- set auto-discovery-forwarder phase1
--More-- set keylife-type seconds
--More-- set encapsulation tunnel-mode
--More-- set comments ''
--More-- set protocol 0
--More-- set src-addr-type subnet
--More-- set src-port 0
--More-- set dst-addr-type subnet
--More-- set dst-port 0
--More-- set keylifeseconds 3600
--More-- set src-subnet 192.168.1.0 255.255.255.0
--More-- set dst-subnet 192.168.2.0 255.255.255.0
--More-- next
set name "LAN2IPSEC"
--More-- set uuid 90f8bc80-e5e5-51e9-e99e-1228784777f9
--More-- set srcintf "internal3"
--More-- set dstintf "IPSEC2CISCO"
--More-- set srcaddr "all"
--More-- set dstaddr "all"
--More-- set internet-service disable
--More-- set rtp-nat disable
--More-- set learning-mode disable
--More-- set action accept
--More-- set status enable
--More-- set schedule "always"
--More-- set schedule-timeout disable
--More-- set service "ALL"
--More-- set dscp-match disable
--More-- set utm-status disable
--More-- set logtraffic utm
--More-- set logtraffic-start disable
--More-- set auto-asic-offload enable
--More-- set np-accelation enable
--More-- set session-ttl 0
--More-- set vlan-cos-fwd 255
--More-- set vlan-cos-rev 255
--More-- set wccp disable
--More-- set disclaimer disable
--More-- set natip 0.0.0.0 0.0.0.0
--More-- set diffserv-forward disable
--More-- set diffserv-reverse disable
--More-- set tcp-mss-sender 0
--More-- set tcp-mss-receiver 0
--More-- set comments ''
--More-- set block-notification disable
--More-- set replacemsg-override-group ''
--More-- set srcaddr-negate disable
--More-- set dstaddr-negate disable
--More-- set service-negate disable
--More-- set timeout-send-rst disable
--More-- set captive-portal-exempt disable
--More-- set ssl-mirror disable
--More-- set scan-botnet-connections disable
--More-- set dsri disable
--More-- set radius-mac-auth-bypass disable
--More-- set delay-tcp-npu-session disable
--More-- set traffic-shaper ''
--More-- set traffic-shaper-reverse ''
--More-- set per-ip-shaper ''
--More-- set nat disable
--More-- set match-vip disable
--More-- next
--More-- edit 9
--More-- set name "IPSEC2LAN"
--More-- set uuid e5135730-e5e5-51e9-dada-a73548e003d5
--More-- set srcintf "IPSEC2CISCO"
--More-- set dstintf "internal3"
--More-- set srcaddr "all"
--More-- set dstaddr "all"
--More-- set internet-service disable
--More-- set rtp-nat disable
--More-- set learning-mode disable
--More-- set action accept
--More-- set status enable
--More-- set schedule "always"
--More-- set schedule-timeout disable
--More-- set service "ALL"
--More-- set dscp-match disable
--More-- set utm-status disable
--More-- set logtraffic utm
--More-- set logtraffic-start disable
--More-- set auto-asic-offload enable
--More-- set np-accelation enable
--More-- set session-ttl 0
--More-- set vlan-cos-fwd 255
--More-- set vlan-cos-rev 255
--More-- set wccp disable
--More-- set disclaimer disable
--More-- set natip 0.0.0.0 0.0.0.0
--More-- set diffserv-forward disable
--More-- set diffserv-reverse disable
--More-- set tcp-mss-sender 0
--More-- set tcp-mss-receiver 0
--More-- set comments ''
--More-- set block-notification disable
--More-- set replacemsg-override-group ''
--More-- set srcaddr-negate disable
--More-- set dstaddr-negate disable
--More-- set service-negate disable
--More-- set timeout-send-rst disable
--More-- set captive-portal-exempt disable
--More-- set ssl-mirror disable
--More-- set scan-botnet-connections disable
--More-- set dsri disable
--More-- set radius-mac-auth-bypass disable
--More-- set delay-tcp-npu-session disable
--More-- set traffic-shaper ''
--More-- set traffic-shaper-reverse ''
--More-- set per-ip-shaper ''
--More-- set nat disable
--More-- set match-vip disable
--More-- next
--More-- end
10-15-2019 06:56 AM
Hello,
I cannot follow what you are posting anymore (there seem to be 3 different configs).
Either way, make sure that on the Fortigate side, the proposal, PFS group, and source and destination network match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide