03-19-2023 06:05 AM
Hi,
After I config below settings, seems the tunnel no data between two devices. Can anyone help to check the problem?
Cisco:
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key foritgate address 111.111.111.111
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map side-sz 10 ipsec-isakmp
set peer 111.111.111.111
set transform-set aes256-sha
set pfs group14
match address 101
!
!
!
interface Dialer1
mtu 1492
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxx
crypto map side-sz
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended DSL_ACCESSLIST
permit ip 192.168.188.0 0.0.0.255 any
permit ip 192.168.186.0 0.0.0.255 any
permit ip 10.13.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
Fortigate:
config vpn ipsec phase1-interface
edit "vpn01-sdwan"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set psksecret ENC 123etrds
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "vpn01-sdwan"
set phase1name "vpn01-sdwan"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
show crypto ipsec sa
interface: Dialer1
Crypto map tag: side-sz, local addr 11.11.11.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 22.22.22.22 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.11.11.2, remote crypto endpt.: 22.22.22.22
plaintext mtu 1460, path mtu 1460, ip mtu 1460, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
03-19-2023 06:44 AM
sorry if all traffic go through dailer interface why you config NATing ??
04-15-2023 06:37 AM
NAT was for all local device to connect to the internet accessing.
04-15-2023 06:51 AM
sorry it old post, so are you find solution ??
04-15-2023 07:07 AM
I re-config all settings, now was working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide