Skip to main content
A
Anonymous_User
Contributor
April 19, 2008
Question

Fortigate licensing + VPN Ipsec

  • April 19, 2008
  • 2 replies
  • 3476 views
Hi, Does somebody know if : when youre antiX license is expired are we still able to configure IPsec VPN ? I' m trying to configure an Ipsec VPn with a cisco 2811, I tested it in lab with a fortigate60B who has a license and it worked ! But now i' m configuring it on a Fortigate60B who' s license is expired, and no ipsec communication (port500) is getting out of the forti. Same forti - same cisco TANKS ! Shera

    2 replies

    abelio
    SuperUser
    abelio
    SuperUser
    April 19, 2008
    Hello, There' s no licenses involved for complete VPN functionality. Re-check your new config (and disable protection profiles in the firewall policies involved in your VPN because profiles are affected by due licenses -AV/AS/IPS/WF-) regards,
    A
    Anonymous_UserAuthor
    Contributor
    April 20, 2008
    Hello, Here' s my two policies involved in my VPN : next edit 3 set srcintf " internal" set dstintf " wan1" set srcaddr " SRV_01" set dstaddr " SRV_02_out" set action ipsec set status enable set schedule " always" set service " ANY" set profile-status disable set logtraffic disable set trafficshaping disable set ntlm disable set fsae disable set disclaimer disable set fsae-guest-profile ' ' set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set label ' ' set auth-cert ' ' set inbound enable set outbound enable set natinbound disable set natoutbound disable set vpntunnel " phase01VPN" next edit 4 set srcintf " internal" set dstintf " wan1" set srcaddr " SRV_01" set dstaddr " nat outside" set action ipsec set status enable set schedule " always" set service " ANY" set profile-status disable set logtraffic disable set trafficshaping disable set ntlm disable set fsae disable set disclaimer disable set fsae-guest-profile ' ' set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set label ' ' set auth-cert ' ' set inbound enable set outbound enable set natinbound disable set natoutbound disable set vpntunnel " phase01VPN" The profile status is set to disable. Is that what you where talking about ? Because I did not enable any anti-X profile. I' m a rookie with fortinet ... : ) Regards
    abelio
    SuperUser
    abelio
    SuperUser
    April 20, 2008
    Hello, ok, nothing to say about this then; If you have a working conf, re-check it once again and to avoid strange things ensure that you' ve running the same firmware version in both fortis. If issue persists try to post more details here about the conf, the error messages, and everything you consider useful to us to get a picture. The FortiGate equivalent to Cisco' s " debug crypto isakmp, debug crypto ipsec" commands are : diagnose debug enable diagnose debug console timestamp enable diagnode debug application ike –1 regards,
    A
    Anonymous_UserAuthor
    Contributor
    April 20, 2008
    Hello, I' ve tried those debug command and nothing was coming out .. weird, because in the lab I was reeceiving all the logs for the 2 phases. The difference between them : OK .. different version and different device ... (i was assuming they were the same, but they are not .. shooottt ..) config-version=FGT-60-3.00-FW-build568-071018 config-version=FGT60B-3.00-FW-build565-070905 Ok then ! Monday I will change the forti with the one I tested in my lab. Tanks a lot for the information. Shera forti-rookie
    Terms & ConditionsAccessibility statement