Skip to main content
mrmadgig
mrmadgig
New Member
March 25, 2021
Question

Site To Site VPN between Cisco 4421 and Fortigate 100F

  • March 25, 2021
  • 2 replies
  • 17864 views

Hello Everyone new here

New to FortiGate also.

 

I am having a major issue getting a site to site VPN up but first I would like to tell me

 

how do you ping the other gateway from the Forti CLI? I see ping option but I don't get it

 

execute ping-options source 10.10.111.254 10.222.221.16

command parse error before '10.222.221.16' Command fail. Return code -61

How do you write this syntax out completely to make it work?

Do you need to open ports in the firewall like Cisco e.g  ESP, IKE etc? before running the VPN wizard or custom? 

 

I cannot get phase 1 one to come up. 

 

Thanks

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 25, 2021

    Just like Cisco, use '?' for the options in any command lines, then you would see like below:

    fg50e-utm (root) # exe ping-o source 10.10.111.254 ?  <Enter> So no further options are taken after the source IP because this command sets a specific IP for any pinging as its source. It takes only <Enter> after the source IP. Then you can run actual ping command. My ping can't get any response because your source IP doesn't exist on my FG50E. Also even if exists, it's not allowed by any policies.

    fg50e-utm (root) # exe ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes ^C --- 4.2.2.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss For IPsec vpn debugging, you eventually need to learn how to run "ike debugging" explained in this KB:

    https://kb.fortinet.com/k....do?externalID=FD46611

    It's same as Cisco's "debug crypto xxx". So you can see what's failing during negotiations.

    mrmadgig
    mrmadgigAuthor
    New Member
    March 25, 2021

    Thank you Yes I did use the 

     

    But I didn't understand that you had to hit enter and then execute another ping. Nowhere does it say that.

    Thank you for the link. I will use this. 

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 25, 2021

    I have to admit FTNT's documentation is not perfect for many users. But once you start using them, you can understand why they built those commands in the particular ways. It's just different from Cisco IOS, or others.

    In the CLI document for "ping-option", it says "Use this command to configure behavior of ping." Most people would understand It doesn't execute "ping" with this command.

    https://docs.fortinet.com/document/fortimail/6.4.0/cli-reference/936917/ping-option

     

    mrmadgig
    mrmadgigAuthor
    New Member
    March 25, 2021

    I see what you mean but this is vague. 

     

    I knew that also but it doesn't say you need to run another complete command to get the ping to work

     

    eg. cisco#ping 10.10.10.111.254 source 10.10.111.222.254 repeat etc... 

    ok now FGT execute (why even say this??? ping-option source <ip> now enter? it goes blank to another command line that is NOT intuitive. It feels as if you accomplished nothing. WTF

     

    FGT# execute ping-option source x.x.x.x enter 

    now right back at the beginning with flashing cursor

    FGT#_   

     

    What the hell happened? Ok I see?? I gotta guess that it need another 400 characters to ping something

     

    No I disagree that most new people would know. 

     

    anyhow thanks I appreciate it.

     

    Can you please tell me on the FortiGate side what the equivalent of these are on the Tunnel custom config

     

    crypto ipsec transform-set TestSet esp-3des esp-md5-hmac mode tunnel

     

     Is it just 3des and Md5?

     

    Thank you

    Terms & ConditionsAccessibility statement