10-24-2014 11:07 AM
Gents,
I have one main Cisco router 2921 and many Fortinet routers that need to connect via VPN (please see below).
I have programmed it as much as I can, but the tunnels do not seem to come up. I've used the following resources:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dynamic-endpoint.html (This for the Cisco router)
http://ciscofortigatevpn.blogspot.ca/2013/04/fortigate-two-phases-cisco-router.html (This for the Fortinet)
But no luck. Where am I going wrong?
=====================================
MAIN ROUTER CONFIG
=====================================
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password **********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
aaa session-id common
!
!
clock timezone gmt 0
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.49
!
ip dhcp pool TechNet
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.1
domain-name ********
option 150 ip 192.168.100.1
!
!
multilink bundle-name authenticated
!
!
username ********* privilege 15 secret 5 **********
!
redundancy
!
!
crypto isakmp policy 1 <------ Shared by both VPN types (mobile users and Fortinets)
encr 3des
authentication pre-share
group 2
crypto isakmp key ********* address 0.0.0.0 0.0.0.0 <----- for remote fortinet
!
crypto isakmp client configuration group ******** <------this is for the mobile laptop users who vpn in (working correctly)
key ************
dns 192.168.100.1
pool VPN-Pool
acl 120
max-users 10
crypto isakmp profile vpn-ike-profile-1 <------this is for the mobile laptop users who vpn in (working correctly)
description This VPN connection is for Tech User Laptops
match identity group **********
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac <------shared by both VPN types (mobile users and Fortinets)
!
crypto ipsec profile VPN-Profile-1 <------this is for the mobile laptop users who vpn in (working correctly)
description This is for Tech User Laptops
set transform-set encrypt-method-1
!
!
crypto dynamic-map hq-vpn 10 <----- for remote fortinet #1
description This is for remote Fortinet 1 router
set security-association lifetime seconds 86400
set transform-set encrypt-method-1
match address VPN1-Fortinet
crypto dynamic-map hq-vpn 11 <----- for remote fortinet # 2
description This is for remote Fortinet 2 router
set security-association lifetime seconds 86400
set transform-set encrypt-method-1
match address VPN2-Fortinet
!
!
crypto map VPN-FORTINET 1 ipsec-isakmp dynamic hq-vpn <----- for remote fortinet
!
!
interface GigabitEthernet0/0
description DSL Interface to ISP
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface GigabitEthernet0/1
description Inside Interface
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template2 type tunnel <------this is for the mobile laptop users who vpn in (working correctly)
description This is for Tech User Laptops
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username ****** password 0 *******
crypto map VPN-FORTINET <----- for remote fortinet
!
!
ip local pool VPN-Pool 192.168.110.20 192.168.110.50 <------this is for the mobile laptop users who vpn in (working correctly)
ip forward-protocol nd
!
ip nat inside source list 10 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended VPN1-Fortinet <----- for remote fortinet #1
permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN2-Fortinet <----- for remote fortinet #2
permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 110 permit ip any any
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255 <------this is for the mobile laptop users who vpn in (working correctly)
access-list 120 permit ip 192.168.110.0 0.0.0.255 192.168.100.0 0.0.0.255 <------this is for the mobile laptop users who vpn in (working correctly)
!
!
control-plane
!
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: