Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
4
Replies

Cisco to Fortigate ipsec VPN problem

ciscoreg2
Level 1
Level 1

‎03-19-2023 06:05 AM

Hi,

After I config below settings, seems the tunnel no data between two devices. Can anyone help to check the problem?

Cisco:

crypto isakmp policy 10
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key foritgate address 111.111.111.111
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map side-sz 10 ipsec-isakmp
set peer 111.111.111.111
set transform-set aes256-sha
set pfs group14
match address 101
!
!
!

interface Dialer1
mtu 1492
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxx
crypto map side-sz
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended DSL_ACCESSLIST
permit ip 192.168.188.0 0.0.0.255 any
permit ip 192.168.186.0 0.0.0.255 any
permit ip 10.13.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

Fortigate:

config vpn ipsec phase1-interface
edit "vpn01-sdwan"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set psksecret ENC 123etrds
set dpd-retryinterval 60
next
end

config vpn ipsec phase2-interface
edit "vpn01-sdwan"
set phase1name "vpn01-sdwan"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end

 

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

show crypto ipsec sa

interface: Dialer1
Crypto map tag: side-sz, local addr 11.11.11.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 22.22.22.22 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 11.11.11.2, remote crypto endpt.: 22.22.22.22
plaintext mtu 1460, path mtu 1460, ip mtu 1460, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎03-19-2023 06:44 AM

sorry if all traffic go through dailer interface why you config NATing ??

0 Helpful

ciscoreg2
Level 1
Level 1

‎04-15-2023 06:37 AM

NAT was for all local device to connect to the internet accessing.

0 Helpful

MHM Cisco World
VIP
VIP
In response to ciscoreg2

‎04-15-2023 06:51 AM

sorry it old post, so are you find solution ??

0 Helpful

ciscoreg2
Level 1
Level 1

‎04-15-2023 07:07 AM

I re-config all settings, now was working

0 Helpful
Customers Also Viewed These Support Documents