12-30-2012 09:09 PM - edited 02-21-2020 06:35 PM
Hi,
We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
Regards,
Satish.
01-02-2013 06:11 AM
Good morning
Thanks for using our forum
Hi Ven, my name is Johnnatan and I am part of the Small business Support community.
Ensure you have the same policies configured in both sites, and ensure you have the correct Adreeses or domains configured. You can check some help in page 7
Ven if you have all these correct, let procesure with some toubleshooting steps:
1. Configure manually the VPN again, but this time using a diferent values in your VPN policies (DF, authentication and encryption algorithm).
2. Disable the “Dead Peer Detection” in IKE policies,
3. Disable “PFS Key Group” in VPN policies PFS
4. Ensure Ipsec traffic is allowed in both sites: Go VPN > IPSec > Passthrough and ensure Ipsec is enable.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful.
By the way, you have a small business device, you could post in Small Business Security so you can have more feedback on your case, more users will see it there. You can move your post using the actions panel on the right.
Have a nice day!!!!
Johnnatan Rodriguez Miranda.
Cisco network support engineer.
01-02-2013 08:40 PM
Hi Johnnatan,
Thanks for your responce.
I did the same configuration on both ends. But the tunnel is not getting up. I didnt find where the issue is coming from.
Regards,
Satish.
01-03-2013 11:29 AM
Hi Venkatasatish, I have seen cases (Cisco ASA and fortinet 50B, SMB firewall and fortinet 50B), they could configured the VPN. However your fortinet 50B is not a Cisco product and I don´t have the appropiate knowledge to configure your fortinet 50B, however you can open a case with our engineer in order to resolve your problem.
https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Greetings
Johnnatan Rodriguez Miranda.
01-03-2013 06:34 PM
Hello Venkatasatish,
I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
In my example i gonna use the following environments:
Cisco ASA "Zones"
Inside: 192.168.1.0/24 "Asa inside interface Ip address 192.168.1.1"
Outside: 200.200.200.0/29 "Asa outside interface Ip address 200.200.200.1"
Fortigate "Zones"
inside: 172.16.1.0/24 "Asa inside interface Ip address 172.16.1.1"
outside: 201.201.201.0/29 "Asa outside interface Ip address 201.201.201.1"
=================================> VPN Script of ASA <=================================
access-list inside_access_in remark Firewall rule from ASA to Fortigate
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
access-group inside_access_in in interface inside
!
access-list VPN_NONAT remark Nonat to VPN traffic over VPN
access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
nat (inside) 0 access-list VPN_NONAT
!
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
crypto map OUTSIDE_map 1 set peer 201.201.201.1
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
crypto map OUTSIDE_map interface outside
!
group-policy GP_TO_FORTIGATE internal
group-policy GP_TO_FORTIGATE attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
!
tunnel-group 201.201.201.1 type ipsec-l2l
tunnel-group 201.201.201.1 general-attributes
default-group-policy GP_TO_FORTIGATE
tunnel-group 201.201.201.1 ipsec-attributes
pre-shared-key cisco123
=================================> VPN Script for Fortigate ==============================
Phase 1:
FORTIGATE# config vpn ipsec phase1-interface "enter"
FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
set interface "outside"
set keylife 86400
set mode main
set dhgrp 2
set proposal 3des-sha1
set remote-gw 200.200.200.1
set psksecret ENC cisco123
next "to apply the configuration"
Phase 2
FORTIGATE# config vpn ipsec phase2-interface
edit 200.200.200.1
set keepalive enable
set pfs disable
set phase1name "200.200.200.1"
set proposal 3des-sha1
set dst-subnet 192.168.1.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 172.16.1.0 255.255.255.0
next "to apply the configuration"
Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
FORTIGATE# config router static "enter"
FORTIGATE (static) # edit 100 "enter"
FORTIGATE (100) # set device "200.200.200.1"
set distance 1
set dst 192.168.1.0 255.255.255.0
Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
FORTIGATE # config firewall policy "enter"
FORTIGATE (policy) # edit 100 "enter"
config firewall policy
edit 100
set srcintf "200.200.200.1"
set dstintf "inside"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set comments "Access from VPN ASA site"
FORTIGATE (policy) # edit 101 "enter"
config firewall policy
edit 101
set srcintf "inside"
set dstintf "200.200.200.1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set comments "Access to VPN ASA Site"
After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
Please let me know about it!
Good luck.
Fabio Jorge Amorim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide