Skip to main content
dillee1
dillee1
New Member
September 1, 2015
Question

fortigate ipsec cisco

  • September 1, 2015
  • 4 replies
  • 4085 views

Hi all.

I need to connect a fortigate 200a(2.80,build456,050704) to a 2nd party cisco router.

The goal is something like this:

my_server(private IP mapped to a VIP) <->fortigate<->cisco<->target_server(public IP)

 

2nd party insist a public IP for ipsec setup, and my_server has a public virtual IP mapped to it.

I managed to have the tunnel bring up when i ping/traceroute my_server->target_server, but no replies ever received.

2nd party insisted that they have intervening firewall(s) opened.

 

Below are the only setting I have found so far that bring up the tunnel on demand successfully:

 

fortigate IPSEC phase 2 setting:

Quick Mode Identities:Specify a selector Source address:my_server public IP Source port:0 Dest address:target_server IP Dest port:0 Protocol:0

 

firewall policy

internal -> wan1 88     my_server     target_server     always     ANY     ENCRYPT

 

Please help.

    4 replies

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    September 1, 2015

    Hello,

     

    Please use the below commands to get the actual cause of the issue or atleast will help if the request is leaving the Fortigate:

     

    diag debug reset

    diag debug disable

    diag debug enable

    diag debug flow filter daddr x.x.x.x

    diag debug flow show console enable

    diag debug console timestamp enable

    diag debug flow trace start 20

     

     

    NOTE:

    - x.x.x.x is the IP address to which you are initiating the traffic(target server)

    - Once you get the output captured, you can disable the debug with the command  #diag debug disable

     

    Please get the output here to understand the traffic.

     

     

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 1, 2015

    Possible duplicate of this recent post.

     

    Cisco demands the public WAN IP address as the source IP address of the traffic within the tunnel. My best guess is that they want to avoid address overlap this way which may occur easily if you allow private addresses on the tunnel.

     

    FGTs can source-NAT traffic entering the tunnel. See link above.

    dillee1
    dillee1Author
    New Member
    September 2, 2015

    @vjoshi_FTNT

    this command is not avail on my firmware version.

    diag debug flow filter daddr x.x.x.x

     

    any equivalent comment command on older fortiOS?

     

    @ede_pfau

    my_server has VirtualIP forward all ports to it. It should using its public VIP as SNAT address, thus having its dedicated SNAT pool?  I am not sure whether fortigate SNAT my_server before encryption or after, obviously the later would'nt work....

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    September 2, 2015

    Hello,

    x.x.x.x should be replaced by the destination IP to which you are pinging.

     

    dillee1 wrote:

    @vjoshi_FTNT

    this command is not avail on my firmware version.

    diag debug flow filter daddr x.x.x.x

     

    any equivalent comment command on older fortiOS?

     

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 2, 2015

    Source NAT takes place before encryption as you have correctly reasoned. In FortiOS, SNAT is applied through "IP pools" in the policy 'internal' -> 'tunnel'.

    Terms & ConditionsAccessibility statement