Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
3
Replies

Troubleshoot VPN, Help me, Please

Go to solution
Mr.JinSin
Level 1
Level 1

‎03-02-2015 08:54 PM

I had VPN site to site between HCM and Singapo 

  • HCM : Fortigate 80C
  • Singapo : Cisco 2900

Before,no problems.

Today, I can't ping from ip private of Singapo ( 192.168.4.0/24 ) to ip private of HCM (192.168.1.0/25). ->>> 0/5 

But, If I ping from HCM - > Singapo, after that Singapo ping HCM  was succeed.

I had file config of Cisco and Fotigaer.
Can u help me :(

Thanks a lot

Labels:
Preview file
26 KB
Preview file
8 KB
Preview file
133 KB
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-06-2015 01:49 PM

Hello,

 

This behavior seems to be that the SA (security Association) is not being created and when you try to bring the SA up, you are bring it up from the responder side, therefore the other side (HCM) it comes up because it is the initiator side. 

 

Explanation:

A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections, the security appliance can function as initiator or responder. In IPsec client-to-LAN connections, the security appliance functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.

 

Now just to clarify this a little bit more,

* when you ping from the HCM side, does the Singapo works? 

*   If not please go ahead and clear the SAs:

     - clear crypto sa peer  <118.69.108.120>

     - clear crypto isakmp <ID number>

*  After that send traffic from your side and is that working?

* Those debugs you sent is the process of the ASA to build the SA.

* You can see this link:

    https://supportforums.cisco.com/document/72491/understanding-ios-ipsec-and-ike-debugs-ikev1-main-mode

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro

Regards,      

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-06-2015 01:49 PM

Hello,

 

This behavior seems to be that the SA (security Association) is not being created and when you try to bring the SA up, you are bring it up from the responder side, therefore the other side (HCM) it comes up because it is the initiator side. 

 

Explanation:

A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections, the security appliance can function as initiator or responder. In IPsec client-to-LAN connections, the security appliance functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.

 

Now just to clarify this a little bit more,

* when you ping from the HCM side, does the Singapo works? 

*   If not please go ahead and clear the SAs:

     - clear crypto sa peer  <118.69.108.120>

     - clear crypto isakmp <ID number>

*  After that send traffic from your side and is that working?

* Those debugs you sent is the process of the ASA to build the SA.

* You can see this link:

    https://supportforums.cisco.com/document/72491/understanding-ios-ipsec-and-ike-debugs-ikev1-main-mode

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro

Regards,      

 

0 Helpful

Go to solution
Mr.JinSin
Level 1
Level 1
In response to David Johan Castro Fernandez

‎03-06-2015 06:40 PM

Hi David Castro,

I have solved this problem !!!

PFS not enable on router Cisco.

Thanks a lot.

Mr.JinSin

0 Helpful

Go to solution
David Johan Castro Fernandez
Level 3
Level 3
In response to Mr.JinSin

‎03-07-2015 08:11 AM

Hi Mr. JinSin,

 

That is great, basically an issue with Phase 2, just a little explanation on that, you might already know about it:

 

Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.

 

The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared and/or private keys used by the endpoint devices

 

Select the required Diffie-Hellman key derivation algorithm from the Modulus Group list box.

 

Security Manager supports Diffie-Hellman group 1, group 2, group 5, and group 7 key derivation algorithms. Each group has a different size modulus:

 

Group 1 (the default): 768-bit modulus.

Group 2: 1024-bit modulus.

Group 5: 1536-bit modulus.

Group 7: Use when the elliptical curve field size is 163 characters

 

Please don't forget to rate and mark as correct the helpful post!

 

If you have another issue let me know!

David Castro

Regards,

0 Helpful
Customers Also Viewed These Support Documents