Azure Site to site VPN Fortinet 5.2.4

njward · ‎09-15-2016

Hello,

I have been trying to setup a vpn to Azure but not having any luck at all. I have tried following the article published by Fortinet which was for an earlier version and this did not work. Has anybody got this working? at the moment it's failing on phase 1. the log shows "peer SA proposal not match local policy". I enabled debug to see more detail and found this but unfortunately I don't really understand what it is telling me, can anbody offer any advice?

ike 0: comes x.x.x.x:500->95.x.x.x.x:500,ifindex=3....

ike 0: IKEv2 exchange=SA_INIT id=720d4027749f450a/0000000000000000 len=616

ike 0: in 720D4027749F450A000000000000000021202208000000000000026822000100020000280101000403000008010000030300000803000002030000080200000200000008040000020200002C020100040300000C0100000C800E010003000008030000020300000802000002000000080400000202000028030100040300000801000003030000080300000C030000080200000500000008040000020200002C040100040300000C0100000C800E0100030000080300000C0300000802000005000000080400000202000028050100040300000801000003030000080300000D030000080200000600000008040000020000002C060100040300000C0100000C800E0100030000080300000D030000080200000600000008040000022800008800020000B247CA9E21D1DC208975114108CB29DC87495167E9423BA0C5CBE0506DB465DBB42BF0ADF806E97246D5D769249F56A2601203A1E8076C906FD278BE67B88A59036D8B6A43A0A78D55351F698341F5AAA3AC397A4E81021E0E511D8B259C6EA002428F0782EB3C5295C2A3873D76157FF90F406B7F94191E91D37E0D9E0DA0602900003427633A697C649403143C29C7D0E6E17ED3C95AB122D5BD05983D07FF74713DC488E08C70869348862DB6F1A23AADB2572900001C00004004812CF485DD2CF1890B7286133339F9A611E165172B00001C00004005C2BC9714598C6BB43455D7EA00C6475C4840EBDC2B0000181E2B516905991C7D7C96FCBFB587E461000000092B000014FB1DE3CDF341B7EA16B7E5BE0855F1202B00001426244D38EDDB61B3172A36E3D0CFB8190000001801528BBBC00696121849AB9A1C5B2A5100000002

ike 0:720d4027749f450a/0000000000000000:295285: responder received SA_INIT msg

ike 0:720d4027749f450a/0000000000000000:295285: received notify type NAT_DETECTION_SOURCE_IP

ike 0:720d4027749f450a/0000000000000000:295285: received notify type NAT_DETECTION_DESTINATION_IP

ike 0:720d4027749f450a/0000000000000000:295285: incoming proposal:

ike 0:720d4027749f450a/0000000000000000:295285: proposal id = 1:

ike 0:720d4027749f450a/0000000000000000:295285:   protocol = IKEv2:

ike 0:720d4027749f450a/0000000000000000:295285:      encapsulation = IKEv2/none

ike 0:720d4027749f450a/0000000000000000:295285:         type=ENCR, val=3DES_CBC

ike 0:720d4027749f450a/0000000000000000:295285:         type=INTEGR, val=AUTH_HMAC_SHA_96

ike 0:720d4027749f450a/0000000000000000:295285:         type=PRF, val=PRF_HMAC_SHA

ike 0:720d4027749f450a/0000000000000000:295285:         type=DH_GROUP, val=MODP1024.

DiegCirc · ‎09-15-2016

This is our config (GUI also works, but it was easier to copy&paste the config rather than taking screenshots):

config vpn ipsec phase1-interface
    edit "Phase 1 Name"
        set interface "My external interface name"
        set ike-version 2
        set keylife 28800
        set proposal aes256-sha256 aes256-sha1 aes128-sha256 aes128-sha1
        set dpd on-idle
        set dhgrp 2
        set nattraversal disable
        set remote-gw
        set psksecret xxxxxx
        set dpd-retryinterval 5
    next
end
config vpn ipsec phase2-interface
       edit "Phase 2 Name"
        set phase1name "Phase 1 Name"
        set proposal aes256-sha256 aes256-sha1 aes128-sha256 aes128-sha1
        set dhgrp 1
        set auto-negotiate enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set dst-subnet
    next
end
config router static
    edit 1
        set dst
        set device "Phase 2 Name"
    next
end

justinpowell_FTNT · ‎09-15-2016

I have only done one of these so far and we had to enable NAT-T in order to make it work. Also make sure there is a policy referencing the VPN or it will not come up.

njward · ‎09-15-2016

Hello, thanks for the response. I set our config the same as yours apart from ip addresses but no joy. The only difference is that you mentions "Phase 2 name" in the router static section, it will only allow the phase 1 name.

When I look on the event log I just see ipsec phase 1 errors. This is my config. Really struggling so would really appreciate any suggestions.

config vpn ipsec phase1-interface
    next
    edit "Azure_P1"
        set interface "wan2"
        set ike-version 2
        set keylife 28800
        set proposal aes256-sha256 aes256-sha1 aes128-sha256 aes128-sha1
        set dhgrp 2
        set remote-gw xxx.xxx.xxx.xxx
        set psksecret ENC xxxxxx
    next
end

config vpn ipsec phase2-interface
    next
    edit "Azure_P2"
        set phase1name "Azure_P1"
        set proposal aes256-sha256 aes256-sha1 aes128-sha256 aes128-sha1
        set dhgrp 1
        set auto-negotiate enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set src-subnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
        set dst-subnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    next
end

config router static
edit 1
        set dst
        set device "Azure_P1"
    next
end

njward · ‎09-16-2016

Sorry, I was being stupid. VPN is now up and running, I made a mistake on my FW policies. Apologies for wasting your time.

Nick