VPN / ipsec Fortigate 60D - Palo Alto

Forum|Forum|7 years ago
June 14, 2019
1 reply
7495 views

Hi, I am fighting with setting up a VPN between a Palo Alto 220 and a FGT 60D.

Some details:

FGT 60D: Dynamic IP (FQDN) and located behind a NAT'ed device. FortiOS 6.0.3

PA220: Dynamic IP (FQDN) and no NAT. OS 9.0.2

It seems like Phase1 is up, but Phase2 fail.

PaloAlto Debug/log

2019-06-14 17:04:56.345 +0200 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
                                                      ====> Established SA: x.x.x.x[4500]-y.y.y.y[4500] cookie:605ac2b9dd819298:8be07827467e31f3 lifetime 28800 Sec <====
2019-06-14 17:04:56.346 +0200 [PNTF]: { 1: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
                                                      ====> Initiated SA: x.x.x.x[4500]-y.y.y.y[4500] message id:0x80E39611 <====
2019-06-14 17:04:56.346 +0200 [INFO]: { 1: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
2019-06-14 17:04:56.347 +0200 [ERR ]: my_sa_ipaddr or peers_sa_ipaddr is unsupported address type (type FQDN)
2019-06-14 17:04:56.347 +0200 [ERR ]: { 1: 1}: pfkey getspi failed for responder
2019-06-14 17:04:56.347 +0200 [PERR]: { : 1}: failed to process packet.
2019-06-14 17:04:58.344 +0200 [PNTF]: { 1: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
                                                      ====> Initiated SA: x.x.x.x[4500]-y.y.y.y[4500] message id:0x80E39611 <====
2019-06-14 17:04:58.345 +0200 [INFO]: { 1: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
2019-06-14 17:04:58.345 +0200 [ERR ]: my_sa_ipaddr or peers_sa_ipaddr is unsupported address type (type FQDN)
2019-06-14 17:04:58.345 +0200 [ERR ]: { 1: 1}: pfkey getspi failed for responder
2019-06-14 17:04:58.345 +0200 [PERR]: { : 1}: failed to process packet.

FGT60D debug

ike 1:vpn_pp36pa220:vpn_custTunnel: IPsec SA connect 5 192.168.11.251->x.x.x.x:4500
ike 1:vpn_custTunnel:vpn_custTunnel: using existing connection
ike 1:vpn_custTunnel:vpn_custTunnel: config found
ike 1:vpn_custTunnel: request is on the queue
ike 1:vpn_custTunnel:vpn_custTunnel: IPsec SA connect 5 192.168.11.251->x.x.x.x:4500
ike 1:vpn_custTunnel:vpn_custTunnel: using existing connection
ike 1:vpn_custTunnel:vpn_custTunnel: config found
ike 1:vpn_custTunnel: request is on the queue
ike 1:vpn_custTunnel: NAT keep-alive 5 192.168.11.251->x.x.x.x:4500.
ike 1:vpn_custTunnel:483: out FF
ike 1:vpn_custTunnel:483: sent IKE msg (keepalive): 192.168.11.251:4500->x.x.x.x:4500, len=1, id=ff00000000000000/0000000091000000:e873a604
ike shrank heap by 155648 bytes
ike 1:vpn_custTunnel:vpn_custTunnel: IPsec SA connect 5 192.168.11.251->x.x.x.x:4500
ike 1:vpn_custTunnel:vpn_custTunnel: using existing connection
ike 1:vpn_custTunnel: config found
ike 1:vpn_custTunnel: request is on the queue

emnoc

New Member

It would better to see the cfgs but I believe dynamic to dynamic with FQDN phase1. Did you check the PANOS logs ? Or show vpn ike | ipsec ? The same with diag vpn ike and diag vpn tunnel commmands on the fortios side ?

FWIW, I'm doing the exact same cfg but with a fortiOS and Forcepoint firewall. I even mix and match phase1-id types email and fqdn.

Ken Felix

Yngve0Author

New Member

Here is the config:

Fortigate 60D:

config vpn ipsec phase1-interface
    edit "vpn_pp36pa220"
        set type ddns
        set interface "wan1"
        set keylife 28800
        set mode aggressive
        set peertype one
        set proposal aes256-sha512
        set localid "fgt60d@mydomain.eu"
        set dhgrp 14
        set remotegw-ddns "pa220.mydomain.eu"
        set peerid "pa220@mydomain.eu"
        set psksecret ENC secret
    next
endconfig vpn ipsec phase2-interface
    edit "vpn_pp36pa220"
        set phase1name "vpn_pp36pa220"
        set proposal aes256-sha512
        set dhgrp 14
        set auto-negotiate enable
        set keylifeseconds 3600
    next
end

Palo Alto:

       <ike>
          <crypto-profiles>
            <ike-crypto-profiles>
              <entry name="default">
                <encryption>
                  <member>aes-128-cbc</member>
                  <member>3des</member>
                </encryption>
                <hash>
                  <member>sha1</member>
                </hash>
                <dh-group>
                  <member>group2</member>
                </dh-group>
                <lifetime>
                  <hours>8</hours>
                </lifetime>
              </entry>
              <entry name="dh14-sha256-aes256-8h">
                <hash>
                  <member>sha512</member>
                </hash>
                <dh-group>
                  <member>group14</member>
                </dh-group>
                <encryption>
                  <member>aes-256-cbc</member>
                </encryption>
                <lifetime>
                  <hours>8</hours>
                </lifetime>
              </entry>
            </ike-crypto-profiles>
            <ipsec-crypto-profiles>
              <entry name="default">
                <esp>
                  <encryption>
                    <member>aes-128-cbc</member>
                    <member>3des</member>
                  </encryption>
                  <authentication>
                    <member>sha1</member>
                  </authentication>
                </esp>
                <dh-group>group2</dh-group>
                <lifetime>
                  <hours>1</hours>
                </lifetime>
              </entry>
              <entry name="esp-aes256-sha256-dh14-1h">
                <esp>
                  <authentication>
                    <member>sha512</member>
                  </authentication>
                  <encryption>
                    <member>aes-256-cbc</member>
                    <member>aes-256-gcm</member>
                  </encryption>
                </esp>
                <lifetime>
                  <hours>1</hours>
                </lifetime>
                <dh-group>group14</dh-group>
              </entry>
            </ipsec-crypto-profiles>
            <global-protect-app-crypto-profiles>
              <entry name="default">
                <encryption>
                  <member>aes-128-cbc</member>
                </encryption>
                <authentication>
                  <member>sha1</member>
                </authentication>
              </entry>
            </global-protect-app-crypto-profiles>
          </crypto-profiles>
          <gateway>
            <entry name="gw_fgt60d">
              <authentication>
                <pre-shared-key>
                  <key>xyz</key>
                </pre-shared-key>
              </authentication>
              <protocol>
                <ikev1>
                  <dpd>
                    <enable>yes</enable>
                  </dpd>
                  <ike-crypto-profile>dh14-sha256-aes256-8h</ike-crypto-profile>
                  <exchange-mode>aggressive</exchange-mode>
                </ikev1>
                <ikev2>
                  <dpd>
                    <enable>yes</enable>
                  </dpd>
                  <ike-crypto-profile>dh14-sha256-aes256-8h</ike-crypto-profile>
                </ikev2>
                <version>ikev1</version>
              </protocol>
              <protocol-common>
                <nat-traversal>
                  <enable>yes</enable>
                </nat-traversal>
                <passive-mode>no</passive-mode>
              </protocol-common>
              <local-address>
                <interface>ethernet1/1</interface>
              </local-address>
              <peer-address>
                <fqdn>fgt60d.mydomain.eu</fqdn>
              </peer-address>
              <peer-id>
                <id>fgt60d@mydomain.eu</id>
                <type>ufqdn</type>
              </peer-id>
              <local-id>
                <id>pa220@mydomain.eu</id>
                <type>ufqdn</type>
              </local-id>
            </entry>
          </gateway>
        </ike>
        <tunnel>
          <ipsec>
            <entry name="vpn_fgt60d">
              <auto-key>
                <ike-gateway>
                  <entry name="gw_fgt60d"/>
                </ike-gateway>
                <ipsec-crypto-profile>esp-aes256-sha256-dh14-1h</ipsec-crypto-profile>
              </auto-key>
              <tunnel-monitor>
                <enable>no</enable>
              </tunnel-monitor>
              <tunnel-interface>tunnel.36</tunnel-interface>
              <anti-replay>yes</anti-replay>
            </entry>
          </ipsec>
        </tunnel>

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded