Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8184
Views
5
Helpful
3
Replies

VPN connectivity to site with multiple subnets

newcityit
Level 1
Level 1

‎01-23-2014 02:50 PM

I am having a VPN issue between a ASA and a Fortigate.

I believe that the issue is on the Fortigate side, but some things on the ASA give me pause.

In my configuration traffic from the ASA (172.30.8.x) bound for 192.168.1.x or 192.168.2.x goes to the Fortigate via a ipsec VPN.

The inside network for the Fortigate is 192.168.1.x. It has a route to 192.168.2.x.

VPN traffic works as expected when communicating from 172.30.8.x to 192.168.1.x. No problems there. Traffic going to 192.168.2.x is dropped somewhere. I think this is a Fortigate issue, but I have a doubt because when I do a packet-trace the ASA reports a DROP via ACL, but I have no idea what ACL that is, perhaps implicit. I am including as much information as I have. Any help or suggestions are greatly appreciated.

Here is the relevant config.  I have a remote access VPN to this network, that also works fine, I included that information, just in case it has some effect.

*********Config****************

name 192.168.1.0 remote-indiana-int

name 192.168.2.0 remote-ohio-int

name 19.51.34.99 remote-indiana-ext

name 172.30.8.0 remote-colo-int

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.1

vlan 88

nameif vlan88

security-level 60

ip address 172.30.8.1 255.255.255.0

object-group network remote-internal

network-object remote-indiana-int 255.255.255.0

network-object remote-ohio-int 255.255.255.0

access-list outside_vlan88_cryptomap extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal

access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal

access-list vlan88_nat0_outbound extended permit ip object-group remote-internal remote-colo-int 255.255.255.0

access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 172.30.8.96 255.255.255.248

access-list vlan88_tunnel_splitTunnelAcl standard permit remote-colo-int 255.255.255.0

ip local pool vlan88_pool 172.30.8.97-172.30.8.102 mask 255.255.255.248

nat (vlan88) 0 access-list vlan88_nat0_outbound

nat (vlan88) 1 remote-colo-int 255.255.255.0

crypto ipsec transform-set fortinet esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES

-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_vlan88_cryptomap

crypto map outside_map 1 set peer remote-indiana-ext

crypto map outside_map 1 set transform-set fortinet

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy vlan88_tunnel internal

group-policy vlan88_tunnel attributes

dns-server value 198.153.192.40 198.153.194.40

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vlan88_tunnel_splitTunnelAcl

default-domain value eimagesolutions.com

tunnel-group 19.51.34.99 type ipsec-l2l

tunnel-group 19.51.34.99 ipsec-attributes

pre-shared-key *****

**********Packet Trace**********************

5520-01# packet-tracer input vlan88 icmp 172.30.8.55 8 0 192.168.2.2

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip vlan88 remote-colo-int 255.255.255.0 outside remote-ohio-int 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (vlan88) 1 remote-colo-int 255.255.255.0

  match ip vlan88 remote-colo-int 255.255.255.0 outside any

    dynamic translation to pool 1 (200.200.200.200 [Interface PAT])

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (vlan88) 1 remote-colo-int 255.255.255.0

  match ip vlan88 remote-colo-int 255.255.255.0 outside any

    dynamic translation to pool 1 (200.200.200.200 [Interface PAT])

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: vlan88

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

**********Log****************

5|Jan 23 2014|14:35:26|713119|||||Group = 19.51.34.99, IP = 19.51.34.99, PHASE 1 COMPLETED

6|Jan 23 2014|14:35:26|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 19.51.34.99

6|Jan 23 2014|14:35:26|713172|||||Group = 19.51.34.99, IP = 19.51.34.99, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

4|Jan 23 2014|14:35:26|113019|||||Group = 19.51.34.99, Username = 19.51.34.99, IP = remote-indiana-ext, Session disconnected. Session Type: IKE, Duration: 0h:10m:33s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

5|Jan 23 2014|14:35:26|713259|||||Group = 19.51.34.99, IP = 19.51.34.99, Session is being torn down. Reason: Lost Service

3|Jan 23 2014|14:35:26|713902|||||Group = 19.51.34.99, IP = 19.51.34.99, Removing peer from correlator table failed, no match!

3|Jan 23 2014|14:35:26|713902|||||Group = 19.51.34.99, IP = 19.51.34.99, QM FSM error (P2 struct &0x6c372558, mess id 0x242c6faa)!

6|Jan 23 2014|14:34:54|302015|200.200.200.200|500|remote-indiana-ext|500|Built outbound UDP connection 71 for outside:remote-indiana-ext/500 (remote-indiana-ext/500) to identity:200.200.200.200/500 (200.200.200.200/500)

5|Jan 23 2014|14:34:54|713041|||||Group = 19.51.34.99, IP = 19.51.34.99, IKE Initiator: New Phase 2, Intf vlan75, IKE Peer 19.51.34.99  local Proxy Address 172.30.8.0, remote Proxy Address 192.168.2.0,  Crypto map (outside_map)

*************FORTIGATE************************

config vpn ipsec phase1

  edit "GW-FG-ASA"

    set interface wan1

    set dpd disable

    set dhgrp 2

    set proposal 3des-sha1

    set keylife 86400

    set remote-gw 200.200.200.200

    set psksecret ENC ********

  end

config vpn ipsec phase2

  edit Tunnel-FG-ASA

    set dhgrp 5

    set keepalive enable

    set phase1name GW-FG-ASA

    set proposal 3des-sha1

    set pfs disable

    set replay disable

    set keylife-type seconds

    set keylifeseconds 86400

    set src-addr-type subnet

    set src-subnet 192.168.1.0 255.255.255.0

    set dst-addr-type subnet

    set dst-subnet 172.30.8.0 255.255.255.0

  end

config firewall address

  edit "LocalLAN"

    set subnet 192.168.1.0 255.255.255.0

  next

  edit "colo_net"

    set subnet 172.30.8.0 255.255.255.0

  end

edit "ohio"

    set subnet 192.168.2.0 255.255.255.0

  end

config firewall policy

  edit 1

    set srcintf internal

    set dstintf wan1

    set srcaddr "LocalLAN ohio"

    set dstaddr colo_net

    set action ipsec

    set inbound enable

    set outbound enable

    set natinbound disable

    set natoutbound disable

    set schedule always

    set service ANY

    set vpntunnel GW-FG-ASA

  end

1 person had this problem
Labels:
0 Helpful
3 Replies 3

tanuj.diwan
Level 1
Level 1

‎09-06-2016 08:47 PM

HI Guys,

I have faced a similar issue in the past and was able to find a solution for it.

I had an issue where i had 2 source subnets on the fortigate end and one on the ASA end.

I created multiple phase 2 on the fortigate side for a single Phase 1. In the quick mode selector in Phase 2 configuration i chose one source subnet(Fortigate side) and destination subnet(ASA side). And another phase 2 for 2nd source subnet and same destination.

On the ASA i created 2 different policies Access-list 10 one source(ASA) and destination 1(Foritgate)

and 2nd policy Access-list 20 one source(ASA) and destination 2 (Fortigate).

Then i added these 2 polices on a single Crypto map and called that on the interface and VPN worked successfully.

SInce then i have deployed this in many other sites and it works perfectly.

So instead of using a single Phase 2 use multiple. And same goes for the Security policies on ASA. Try it and let me know if it doesn't work.

Regards

Tanuj

Then i added these 2 polcies 

3SS
Level 1
Level 1
In response to tanuj.diwan

‎04-22-2019 03:42 PM

I know this is old, but it helped me big time. 

 

I had a VPN from an ASA 9.x to Fortigate 6.x

The ASA had a single subnet, and the Fortigate had 8 subnets. 

I could connect to any subnet behind the fortigate fine, but the moment I tried to connect to a second one the first one stopped working.

 

Turns out all I needed to do was separate each subnet into a separate Phase 2 entry on the Fortigate. I did not need to make any ASA changes. All subnets work at the same time now. 

0 Helpful

Pawan Raut
Level 4
Level 4

‎09-06-2016 10:29 PM

As per packet tracer encrypt drops because of Phase 2 VPN is not up and as per below log remote end GW (here in this case fortigate) not have NAT-T enable and ASA has this by default so need to enable NAT-T on fortigate to resolve issue.

6|Jan 23 2014|14:35:26|713172|||||Group = 19.51.34.99, IP = 19.51.34.99, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

0 Helpful
Customers Also Viewed These Support Documents