New Member

Question

Fortigate VPN with Stormshield VTI Virtual Tunneling Interface

Forum|Forum|5 years ago
September 14, 2020
5 replies
17143 views

Hello,

I'm trying to create a VTI VPN Tunnel between Stormshield and Fortigate.

My VPN is up but I can send other traffic than my trafic selectors.

I have attached a schema which explain the architecture and network traffic capture in forti's port1 and ipsec vpn tunnel.

I see echo request and echo reply in tunnel but the echo reply don't appear in outgoing ESP traffic

Thank you for your help !

AhmedT

schema.jpg

VPN

AhmedTAuthor

New Member

VPN Capture

vpn.PNG

AhmedTAuthor

New Member

Port 1

Toshi_Esumi

SuperUser

If you run packet capture on a FGT specifying a tunnel interface, I think it captures packets before ESP encryption/after ESP decryption. If you want to capture ESP encrypted packets, you need to insert a switch with port mirroring and hook up a laptop to it to see packets between two FWs.

Based on the diagram, I think the problem is the unwanted destinations are reachable without the tunnel. Since this seems to be a test/lab environment, just make sure the unwanted destinations' routes don't exist including the default route to the other side. Then set routes only for the desired destinations INTO the tunnel on both ends.

AhmedTAuthor

New Member

Hi Toshi,

Thank you for your help !

I created static route, I have attached screenshot.

AhmedT

StaticRoute.PNG

ago_icaar

New Member

Hello @AhmedT,

I'm trying to create a ipsec VPN tunnel on routing policy by using VTI between Fortigate and Stormshield.
Network side Stormshield is 172.28.100.0/24
And Fortigate side is 172.19.0.0/16 and 172.20.0.0/16
SNS vti is 192.168.155.3
FG vti is 192.168.155.1
On Stormshield in phase 2, I put VTI ip address on local network and remote network.

Tunnel is up when phase 2 selector n Fortigate side:
proxyid=HQ-wan1 proto=0 sa=1 ref=3 serial=1 ads
src: 0:192.168.155.1-192.168.155.1:0
dst: 0:192.168.155.3-192.168.155.3:0

Fortigate drop packet because "No matching IPsec selector, drop"
I have implement BGP routing and it's work.

How did you set up your tunnels on Fortigate and Stormshield?

Thank you for your help

SylvainCASA

New Member

Hello,

I'm in the same case. Do you have Screen Configuration of your Fortigate and Stormshield and the BGP configuration ? I asked the Stormshield support and they said me "Sorry, currently VTI tunnels are only supported when both equipment in the tunnel are Stormshield." and i think they only just don't know how to do it...

Thanks you.

Maxime-B

Visitor III

Hello,

Did anyone succeed ? I try to configure this VPN too but only one way seem to be good...

Regards.

SylvainCASA

New Member

I asked them and it's because there is no compatibility with VTI interfaces to others products.

I replaced all my distant Stormshield Firewall with maintenance near to expire with Fortigate 40F. More efficient and works like a charm. Sorry for them but there are taking too much time to solve this kind of problem. Also, new model like SNS 220/320 have also the problem it's software problem and slow development.

Maxime-B

Visitor III

Ok; thanks !

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded