VPN encryption domain on VIP

Forum|Forum|14 years ago
February 21, 2012
6 replies
11873 views

Had this setup with a PIX515 fairly easily, just can' t seem to get it to translate to my Fortigate 60C. Here is the VPN setup from our customer. (IPs have been randomized, sort of) Parameter - Customer - Us VPN Gateway - 135.4.4.51 - 107.2.2.125 Ecryption Domain - 19.0.0.0/8 - 107.2.2.117 Support key exchanged for subnets is - ON - ON Encryption - IKE:AES256:SHA - IKE:AES256:SHA IKE phase1 timeout - 1440 min - 1440 min IPSEC (phase 2) timeout - 3600 sec - 3600 sec DH group for P1 - 2 - 2 PFS - Disabled - Disabled Keepalive - Disabled Disabled I' ve tried both policy VPN and interface VPN setups, they just wont seem to connect. is what extra info can I post to help figure this mess out. I' m about to setup the PIX just to get this tunnel working again.

config vpn ipsec phase1 edit " vpnCUSTpol" set interface " wan1" set nattraversal disable set dhgrp 2 set keylife 86400 set proposal aes256-sha1 set dpd disable set remote-gw 135.4.4.51 set psksecret ENC 7nV0BleK7zZepNi8NLPE6wMIGlpFOGIAbcYNTuiLyq+mTwhJvob8yjughpyZmcJcpILwAu8r5Hx8z0Xa3Jl6v8XVrhAiEX8qqvQLs4VolQkhJBiH set auto-negotiate disable next end config vpn ipsec phase2 edit " p2CUSTpol" set dst-addr-type name set pfs disable set phase1name " vpnCUSTpol" set proposal des-md5 set replay disable set src-addr-type ip set dst-name " VPN-Cust" set keylifeseconds 3600 set src-start-ip 107.2.2.117 next end

Mk26000.gif

emnoc

New Member

Are you 100% sure that your clients are being NAT' d behind the VIP address 107.2.2.117? Can you show us the associated fwpolicies?

rwpatterson

New Member

config vpn ipsec phase2 edit " p2CUSTpol" set dst-addr-type name set pfs disable set phase1name " vpnCUSTpol" set proposal des-md5 set replay disable set src-addr-type ip set dst-name " VPN-Cust" set keylifeseconds 3600 set src-start-ip 107.2.2.117 next end

In the past, The ' set dst-addr-type name' didn' t always work between FGTs and other vendors. Try using the IP address instead.

whansonAuthor

New Member

Are you 100% sure that your clients are being NAT' d behind the VIP address 107.2.2.117?

No, I' m not... And it should only be one client, the rest of the network is NAT' d out the WAN1 interface.

Try using the IP address instead.

Did that, VPN still won' t come up. NO-PROPOSAL-CHOSEN is what the log says. I' m mostly interested in getting the VPN up, then working on traffic flow. That should be possible shouldn' t it?

rwpatterson

New Member

If your policy is in place, check to make sure the quick mode selectors match what the Cisco has, and check that both have the same PFS settings in phase 2.

whansonAuthor

New Member

Just got the tunnel to come up. It should have been AES256-SHA in P1 and P2. I saw somewhere else here that Interface mode with a NAT Pool for a single address, would be the way to go. Give that a try next. Can' t set destination Address in P2 interface mode. ??

whansonAuthor

New Member

What I really need to do is outlined in the first 3 posts here. But I seem to be unable to get the tunnel to come up in Interface mode. I assume this is because I cannot set the Destination Address in the Phase2 configuration, when in Interface mode. Which seems to be killing me since I' m trying to connect to a Cisco ASA.

asbeck

New Member

Whanson, To resolved your problem try with information below: Phase 2: Add command set use-natip disable In Firewall Policy: Add command set natip 107.2.2.117 255.255.255.255 Your configuration in Firewall Policy, that igual this: config firewall policy edit XX set srcintf " port1" set dstintf " wan1" set srcaddr " 192.168.100.73" set dstaddr " VPN-Cust" set action ipsec set schedule " always" set service " ANY" set logtraffic enable set logtraffic-app disable set natip 107.2.2.117 255.255.255.255 set inbound enable set outbound enable set natinbound enable set natoutbound enable set vpntunnel " vpnCUSTpol" next end

whansonAuthor

New Member

That got it in Policy mode! Thank you!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded