Skip to main content
Lsousa
Lsousa
New Member
October 29, 2018
Question

Fortinet 1000D IPSEC With ASA 5512

  • October 29, 2018
  • 2 replies
  • 11921 views

I have a configuration done to a VPN ip sec between a cisco asa 10.0.100.110 anda a fortinet 10.0.100.114 in a network 10.0.100.109/29

 

the information i receive is:

 

Encryption Scheme IKE v1 Authentication Method Pre-shared key: A enviar out-of-band (telefone, SMS, IM) Diffie-Hellman Group Group 2 Encryption Algorithm AES-256 Hashing Algorithm SHA-1 Main or Aggressive Mode Main Mode IKE Lifetime (for renegotiation) 1440 minutes (86400 seconds) NAT Traversal Enabled Keepalive Interval: 10 seconds / Retry interval: 2 seconds Encapsulation Mode tunnel Encryption Algorithm ESP AES-256 Authentication Algorithm SHA-1 Perfect Forward Secrecy Group 2 IPSEC Lifetime (for renegotiation) 480 minutes (28800 seconds) Lifesize in KB (for renegotiation) Unlimited

 

I already done that configutarion and a i can not reach a public ip linked to the private ip of them the services i need to reach by the public ip 197.500.86.15 is Tcp:80 and 4001

 

can someone say-me how can i by the fortigate permite this configuration is something missing in this information?

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 29, 2018

I assume Phase2 selctors are 0/0<->0/0 on both sides and the tunnel is up. Then make sure you have a route into the tunnel for the public IP you need to reach to at the FGT. From there you need to sniff packets if they're going into the tunnel. If they do, the problem is on the ASA side.

Lsousa
LsousaAuthor
New Member
October 29, 2018

how can i see if the route is ok, and how can i sniff the packets?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 29, 2018

"get router info routing-t details 197.500.86.15" would show you the route it follows.

"diag sniffer packet VPN_INTERFACE 'host 197.500.86.15'" would show you the packets. But you have to disable ASIC offloading at the policies to see them in sniffing ("set auto-asic-offload disable").

Lsousa
LsousaAuthor
New Member
October 30, 2018

yes i can ping the public ip 

 

i would like to get first the best way to create the IPSEC VPN

 

MY SCENARIO IS i have a tunnel network range with 3 ips eg: 10.1.100.152/29 with 10.1.100.153 my network, 10.1.100.158 the asa network.

 

I want to get a service: http, https, 5400,5401 of the public ip of the 194.234.117.147.

 

i create a ipsec tunnel and my remote gateway is  10.1.100.158 i do the phase 2 with a local address ip 10.1.100.153 and the remote ip 194.234.117.147. 

 

then i create a policy to get in to the public ip with the port:80

 

i have a static route with the gateway 10.1.100.158 and a destination is 194.234.117.147.

 

i can not get the service http .

 

so my question is whact is the correct way to do this job?

 

i can not bring up the vpn.

Lsousa
LsousaAuthor
New Member
October 30, 2018

I already done This but i can not bring up the tunnel he still down

Lsousa
LsousaAuthor
New Member
October 30, 2018

i try it, but it persist to show too many vpn i have 8. 

 

you have a command that i can see only the debug of one vpn?

Terms & ConditionsAccessibility statement