Skip to main content
KWigle
KWigle
New Member
September 1, 2015
Question

Fgt to ASA IPSec Tunnel Failing

  • September 1, 2015
  • 2 replies
  • 22810 views

Hello Group!

 

I am trying to get an ipsec tunnel up between an 80CM and an ASA.

We are using certificates.

We are using 5.2.4

 

Certificates were loaded manually through the cli as the gui doesn't like them.

However once entered in the cli they show up nicely to be viewed in the gui.

 

On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.

 

On the Fgt side we enabled: diagnose debug application ike -255

The results below repeat continuously;

 

ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done

 

As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.

This is the first time we have tried using certs on a Fgt.

Not quite sure what "peer certificate not received" alludes to.

 

Besides the gui issue we have also bumped into a problem with the Remote ID field.

Apparently it will only take 63 chars and below.  Our Remote ID of the gate, even if spaces are stripped - is 79 chars.

So we're using "Any peer ID" for now.  (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?

 

So not going as smoothly as hoped.  Any suggestions gladly received!

 

Kevin

    2 replies

    emnoc
    emnoc
    New Member
    September 1, 2015

    So it seems like you didn't receive a peer-cert, did they do any diagnostics on the cisco ASA? And validate peer certification in the cfg?

     

    e.g

    debug crypto isakmp

     

     

    Abdessamad
    Abdessamad
    New Member
    November 14, 2015

    Hi,

     

    I have exactly the same issue, 

    the problem probably comes from the IKE fragmentation.

     

    BR

    emnoc
    emnoc
    New Member
    November 14, 2015

    I didn't think you could run site2site vpns using a certificate from a ASA or the enrollement server. How did they ( cisco ) 1> craft a certificate for you 2> how did they download it?

     

    Sure the fortigate can't uses SCEP like what's expected and only supported in  the cisco ASA, unless I'm mistaken and something  has changed in  the last  few years.

     

     

    Abdessamad
    Abdessamad
    New Member
    November 14, 2015

    Hi,

    Before migrate to ikev2, we had a VPN IPSec Site to Site ikev1 (FGT 100D<--> Cisco ASA 5585) with certif function correctly.

    The Certificats was issued fron a MS CA Server

    BR

    emnoc
    emnoc
    New Member
    November 14, 2015

    How did you export the cert for the fortigate from the MS CA? The  cisco ASA only works with SCEP I heard you can manually execute some things but it's not as easy as 1 2 3.

     

    So in the OP post, he needs to make sure the "proper" cert is enabled for the ike authentication and only certificate with no peer-id ( unless  the cisco ASA is requiring a peer-id )

     

     

    Terms & ConditionsAccessibility statement