Skip to main content
ChristianH
ChristianH
New Member
December 2, 2018
Question

VPN phase2 doesn't come up because local subnet is wrong

  • December 2, 2018
  • 1 reply
  • 5303 views

Hi,

I have the following issue I am trying to solve: setup a static site2site VPN tunnel between a Fortigate 100E (local) and a Cisco ASA (remote). Configuration of phase1 and phase2 parameters is ok and checked, but the tunnel doesn't come up due to a local subnet issue.

 

Fortigate 100E, v5.6.6 with physical interfaces as follows:

Lan (Switch): P1-P13, P1 connected, subnet 192.168.0.x/22

P16: 172.16.10.0/24

 

VPN Tunnel comes up correct if my peer configures the local (100E) subnet to 192.168.0.x. But I would like to use the tunnel from port16 with 172.16.10.0 subnet. If my peer changes configuration to 172.16.10.0, phase 1 comes up but phase 2 never starts. So it is an issue with the correct interface/subnet configuration on my (local) side.

 

How do I configure the 100E to use port16 / subnet 172.16.10.0 as the local ip? Trying to set the tunnel interface address doesn't allow me to use a 172.16.10.0 IP address with "conflicts with port 16 subnet". So where do you specify, which interface/subnet a VPN tunnel should use as the local side?

 

thx,

  Christian

 

 

    1 reply

    ChristianH
    ChristianHAuthor
    New Member
    December 2, 2018

    add: already tried to set src-subnet and dst-subnet (dst-start-ip) in phase2 definition. Didn't change anything.

     

    edit "vpn-JZ"         set phase1name "vpn-JZ"         set proposal aes256-sha1 aes128-sha1         set dhgrp 5         set dst-addr-type ip         set keylifeseconds 28800         set src-subnet 172.16.10.0 255.255.255.0         set dst-start-ip 10.65.11.10     next

    emnoc
    emnoc
    New Member
    December 3, 2018

    In the cisco ASA  crypto map what did they define in the ACL? Your src/dst has to match the remote dst/src subnets

     

    ken Felix

    ChristianH
    ChristianHAuthor
    New Member
    December 3, 2018

    src/dst on my side (Fortinet) matches dst/src on remote side (ASA). I have been talking to the remote side admin to debug the issue. As soon as he changed subnet on his side to match 192.168.0.0/22 (which is the default subnet on Fortigate side), phase2 comes up. src (ASA) / dst (Fortinet) was unchanged (single host 10.65.11.10), only the dst (ASA) / src (Fortinet) has been modified.

     

    So the issue has to be somewhat related to Fortinet config - which is my side :(

    Terms & ConditionsAccessibility statement