Skip to main content
DrewLambo
DrewLambo
New Member
May 1, 2020
Question

Fortigate 60D IPSec to ASA 5516

  • May 1, 2020
  • 1 reply
  • 3280 views

Good morning, I've been doing some searching and have been unable to find any threads that have resulted in a resolution for my particular issue. I am essentially setting up an ipsec tunnel between my FortiGate 60D (6.0.9) and our ASA 5516 (9.12) for work. I've gone through the process of setting up our tunnel using the fortigate tunnel wizard. Through my troubleshooting, I've successfully gotten the tunnel to come up, but am only able to do so as long as I only specify one object or subnet in the phase 2 destination. If I add another remote object or subnet to a particular address group, I get varied results.

 

For example, tunnel comes up with a remote address of 10.1.1.0/24, and I am able to hit that subnet. If I add an additional subnet to that address group, one of two things to happen. Either the entire tunnel drops, or the new subnet becomes reachable, and the original subnet becomes unreachable. In both instances, I show a phase 2 negotiation error in the VPN Events log. I did attempt to create a new phase 2 selector for each new destination subnet, but have yielded the same results. It appears I am only able to get one subnet functioning over the tunnel at a time. To note, I do have ipv4 policies (ACLs) in place to allow the named objects to talk back and forth over the tunnel, as well as static routes pointing the remote subnets over the tunnel interface. I'm unsure of what else to try at this point, or what I could be missing. Thanks in advance for any help! Below is a portion of the CLI output with certain pieces negated.

config vpn ipsec phase1-interface edit "IPSec" set interface "wan1" set ike-version 2 set peertype any set proposal aes256-sha1 set dhgrp 5 set nattraversal disable set remote-gw x.x.x.x set psksecret ENC ######## next end

 

config vpn ipsec phase2-interface edit "IPSec" set phase1name "IPSec" set proposal aes256-sha256 set dhgrp 5 set replay disable set auto-negotiate enable set src-addr-type name set dst-addr-type name set keylifeseconds 86400 set src-name "Work-Laptop-Wired" set dst-name "CNS-ASR9K-Network" next edit "ROADM" set phase1name "CNS-IPSec" set proposal aes256-sha256 set dhgrp 5 set auto-negotiate enable set src-addr-type name set dst-addr-type name set keylifeseconds 86400 set src-name "Work-Laptop-Wired" set dst-name "CNS-ROADM-Network"

 

config router static edit 1 set device "CNS-IPSec" set dstaddr "CNS-IPSec_remote_subnet_1" next edit 3 set device "CNS-IPSec" set dstaddr "CNS-ASR920-Network" next edit 4 set device "CNS-IPSec" set dstaddr "CNS-ROADM-Network" next edit 5 set device "CNS-IPSec" set dstaddr "CNS-ASR9K-Network"

1 reply

emnoc
emnoc
New Member
May 1, 2020

Defined each 2nd subnet in a second phase2. Reference the same phase1 name in your cfg dump the phase1 name is different here.

 

Ken Felix

DrewLambo
DrewLamboAuthor
New Member
May 1, 2020

Ah, sorry, the phase1 name is actually the same, that was just a bad copy/paste job on my part. And yes, the second subnet in the second phase2 interface is defined. 

 

edit "Work-Laptop-Wired_192.168.128.50" set uuid d3c782f2-89bf-51ea-5961-aab2b5eb0230 set allow-routing enable set subnet 192.168.128.50 255.255.255.255 next

 

edit "CNS-ASR9K-Network_10.48.1.0/24" set uuid d3d352b2-89bf-51ea-efa7-325f81d7d401 set allow-routing enable set subnet 10.48.1.0 255.255.255.0 next

edit "CNS-ROADM-Network_10.68.1.0/24" set uuid 374b3cb4-8b10-51ea-f36e-bc04dad19a2f set subnet 10.68.1.0 255.255.255.0 next

DrewLambo
DrewLamboAuthor
New Member
May 5, 2020

I ended up finding my issue on the ASA side of the house. I didn't have the PFS DH group specified for Phase 2, so the ASA was essentially trying to negotiate with a new DH group for each additional phase 2 subnet coming from the Fortigate. Statically setting the pfs dh group on the ASA to match what was set on the Fortigate for Phase 2 corrected the issue.

Terms & ConditionsAccessibility statement