Solved: Issues with route based VPN connection to Fortigate

sidp · ‎08-23-2024

Hello,
I am trying to establish a site-to-site IPsec VPN from a Cisco 1121 (IOS XE) to a Fortigate, but I keep getting a mismatch.
To use a separate zone for the VPN tunnel in the zone-based firewall on the Cisco router, I am using route-based VPN. (The VPN works with policy-based VPN, but I couldn’t find a way to create a separate zone for the VPN, so I would have to set the rules in the Outside-to-Self zone, which I want to avoid).

I'm not sure, but I suspect an issue with the source and destination networks in Phase 2, as the Cisco has 0.0.0.0/0 there, which doesn’t work well with the Forti. Is there no way to define the networks in Phase 2 as with policy-based VPN?

Cisco Router Config:

crypto keyring KEYRING
pre-shared-key address 1.2.3.4 key ******
!
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 60 3 periodic
crypto isakmp profile PROFILE_ISAKMP
keyring KEYRING
match identity address 1.2.3.4 255.255.255.255
!
crypto ipsec transform-set AES256-SHA1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE_IPSEC
set transform-set AES256-SHA1
set pfs group14
set isakmp-profile PROFILE_ISAKMP
!
interface Tunnel0
description *** VPN
no ip address
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel protection ipsec profile PROFILE_IPSEC
!
interface GigabitEthernet0/0/0
description *** WAN
ip address dhcp
no ip redirects
no ip unreachables
ip nat outside
zone-member security OUTSIDE
negotiation auto
no cdp enable
end
!
interface Vlan100
description *** LAN
ip address 172.28.8.49 255.255.255.248
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
end
!
ip route 172.19.0.0 255.255.0.0 Tunnel0

Cisco "show crypto isakmp sa" shows Tunnel Active.

ro01#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.0.5.192

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.2.3.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.0.5.192, remote crypto endpt.: 1.2.3.4
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Fortigate Config:

Perhaps I should also mention that we use the VPN "dyn-vpn" on the Fortigate for all our routers that do not have a fixed public IP, and there is a separate Phase 2 for each router. This has always worked without any problems, even with policy-based VPN.

config vpn ipsec phase1-interface
edit "dyn-vpn"
set type dynamic
set interface "port1"
set keylife 28800
set peertype any
set net-device disable
set proposal aes256-sha1
set localid "1.2.3.4"
set localid-type address
set dpd on-idle
set dhgrp 14
set psksecret ******
set keepalive 20
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "ro01"
set phase1name "dyn-vpn"
set proposal aes256-sha1
set dhgrp 14
set keylifeseconds 3600
set src-subnet 172.18.0.0 255.255.0.0
set dst-subnet 172.28.8.48 255.255.255.248
next
end

Forti Debug:

diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug application ike -1
diagnose debug enable

ike 0:dyn-vpn_19:8353418:376402091: no matching phase2 found
ike 0:dyn-vpn_19:8353418:376402091: failed to get responder proposal
ike 0:dyn-vpn_19:8353418: error processing quick-mode message from 1.2.3.4 as responder
ike 0: comes 1.2.3.4:28984->1.2.3.4:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=a460592ab41a803b/0ade980200093ab3:f8678caa len=444
ike 0: in A460592AB41A803B0ADE980200093AB308102001F8678CAA000001BC1F64BBC9FA313A814516F6562C7DCC012243A78E5A3D48C4686A27EF4AF4DD813DC5C45F3211B090FBBE45346BAB223570423AA1CCEB6A8B601419DA343BE0AF3C44010EBA9BB995D835298F6BB9975BC848300C71853A70C72AFC3BBCBC664366D7AF547B6A87CCBA784680A1058A63697F9FF66F40332A1DD0BA496C0F70665BC10BBCC5DEB6EDD95870725C74E34F35EC71E31DB340C1AB4D05E70876ACBEBE3FC133B03AD48BB3298BB514533A2087A8172928981AE06BA435BBAB61F8059C9B596F1ED26E477F32B77C1E9821BDD0B60B59A88B0E0C4DE7F2FFCC7EC668E402E7A64A4FE7896C5C8E84298DB9B3317941683188C2F93478926FEFA693389585A7A9026316FB70FE434242E165E85372F068AACFB7CDD713F65CBF331D1B03ADDFE07C799A595CFC956B4EB00F36FDD3945F0956AD2C3BB119AA9CFDD16EE4DE26A51616F3BD2A394F75FAC6D6C9CCECD3AC35BC51F3A05B335BF243DD78EA327717F9C9955A71C4951BB7470F5126C1D52FAB0FB564A0FDBFAF1898D1907D8FFED8BFE03E269BB3D67958721A6BBFCCF4DE6F49DD2A7FFD55DFA6957621
ike 0:dyn-vpn_19: HA state master(2)
ike 0:dyn-vpn_19:8353418:376402114: responder received first quick-mode message
ike 0:dyn-vpn_19:8353418: dec A460592AB41A803B0ADE980200093AB308102001F8678CAA000001BC01000018C3DE4A5D9299D277CDAFE9B8F059A7C9BF80A1C50A000044000000010000000100000038010304012513952F0000002C010C0000800400038001000180020E1080010002000200040046500080050002800601008003000E040000180C2B73F9E5D8CEE9F837E70A392515BDB6D3B523050001048A3B49D87DBA6C4875806C61B27E8BDE99F2C487E34C00B7D5E2BC32BB3C753997CA57C4EFE01F261DF79E952DAF54A16BF0B0945410EEE0D44213380B3E9734176603E70071166AE2C097918A5838746BF3C95B2FF69F7BED26CB6019A92EBCC933EF53B5D1145707E9D38DED7B155C3D84F35C57AEA5B50C026A6A11A6C75C7753E0BABCD85B8C27E122E383BDBBDA3D1E0A5FEF29A775AC78F72B20BC45EB13DA56E019306A77024948EB65F6AF14A53DDAB5D277C2E93E6D3563CDDC547530AD4B63955AC11FB77616FD4AE1164A5980D538320F4D7B9EDB40D3AC66309B7AD17BCFE8FDDB4076F801C27EC3537FB214ABA2366C725823DA98418F033A8405000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:dyn-vpn_19:8353418:376402114: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0

Rob Ingram · ‎08-23-2024

@sidp I see no reason why the Fortinet could not be configured to support a standard route based VPN, with the traffic selectors as 0.0.0.0/0.0.0.0.

You can configure a Multi SA VPN on the Cisco IOS-XE router, where the route based VPN acts like a policy based VPN. You'd create a crypto ACL on the Cisco router to mirror the Fortinet's configuration to define the interesting traffic. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

The fact you have debug output implies your ZBFW configuration is working as the devices are attempting to establish the VPN, but we cannot tell from the output above if it's configured correctly and not subsequently causing an issue.

View solution in original post

MHM Cisco World · ‎08-23-2024

MHM

Rob Ingram · ‎08-23-2024

@sidp I see no reason why the Fortinet could not be configured to support a standard route based VPN, with the traffic selectors as 0.0.0.0/0.0.0.0.

You can configure a Multi SA VPN on the Cisco IOS-XE router, where the route based VPN acts like a policy based VPN. You'd create a crypto ACL on the Cisco router to mirror the Fortinet's configuration to define the interesting traffic. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

The fact you have debug output implies your ZBFW configuration is working as the devices are attempting to establish the VPN, but we cannot tell from the output above if it's configured correctly and not subsequently causing an issue.

sidp · ‎08-23-2024

Thanks to both of you. The crypto map was a copy & paste mistake from an older config.

These two command in Tunnel0 did the trick.

ip unnumbered GigabitEthernet0/0/0
tunnel protection ipsec policy ipv4 CACL