Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

PiEich
New Contributor

VPN between 2 Fortigates not establishing

Hi everyone!
A simple IPSec site-to-site VPN which I was betting should be up after 5 minutes of configuration, is giving me headaches for 1 week now.

On one side 500E v6.0.9
On the other side 110C v5.2.9

500E config
500E # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
edit "S2S"
set interface "port4"
set keylife 28800
set peertype any
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set remote-gw x.x.x.x
set psksecret ENC tAl7DoFRHysjGiH+Mb6ijjllKtjH42TkHJk80CnLDHVTqTw48xYMGbjTODRkr9lzWJJo6CXd3QupSglXQSA+5Gc4n/rvTu6AYeL81EH1yL2y/EtGNFvay4kGVs2yUnvsVY7mhWoIbqdLP0K0sp1Wkf3hxryCzarHM26GUZosZbt/ktewEOPPDprszWAqZePkUmPyXg==
next
end

500E # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end


110C config
110C # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
edit "S2S"
set interface "wan2"
set keylife 28800
set remote-gw y.y.y.y
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
next
end

110C # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end

The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

When I try to bring up the tunnel, I get the "progress IPsec phase 2 failure" message and I don't know what else to do...
And even though I assume the Phase 1 is UP, I don't see the tunnel UP nor the messages for Phase 1 in the log.

All help, welcome. Thanks!

UploadedImages_dnfkMZ8ZSh2u0EasK609_VPN.png
8 REPLIES 8
FernPatz
New Contributor II

Hi I saw that you didn´t put the criptography proposal on phase1 and phase2 of 110C IPSec config.
[FirstName]
[FirstName]
PiEich

Hi Fernando,
I put this below the config:

The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

If you or anyone has an idea why that can happen... Welcome
FernPatz
New Contributor II

Try this in both fortigates. With this you will see all config of IPSec vpns and you will can verify all parameters.

# conf vpn ipsec phase1-interface
# edit S2S
# show full-configuration
# end
# conf vpn ipsec phase2-interface
# edit S2S
# show full-configuration

​​​​​​
[FirstName]
[FirstName]
PiEich

Excellent, now I have this:

500E
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "port4"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk
set mode main
set peertype any
set passive-mode disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set remote-gw x.x.x.x
set monitor ''
set add-gw-route disable
set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
set keepalive 10
set dpd-retrycount 3
set dpd-retryinterval 20
next
end


500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end

110C
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "wan2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw y.y.y.y
set monitor ''
set add-gw-route disable
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
end


110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end
FernPatz
New Contributor II

Considering that:
- psk secret is the same in both fortigates;
- the interfaces that you are establishing the ipsec vpn it´s correct;
- the src-addr and dst-address was correct (remember that you need to invert in one of fortigates);

Now you need to enable a syslog and send the information to syslog to see whats wrong.
You can use this commando to verify 
diagnose vpn tunnel list name <Phase 1 name>

- diagnose debug application ike -1
- diagnose debug enable

to disable
- diagnose debug enable
- - -
Fernando Patzlaff
patzlaff@gmail.com


------Original Message------

Excellent, now I have this:

500E
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "port4"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk
set mode main
set peertype any
set passive-mode disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set remote-gw x.x.x.x
set monitor ''
set add-gw-route disable
set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
set keepalive 10
set dpd-retrycount 3
set dpd-retryinterval 20
next
end


500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end

110C
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "wan2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw y.y.y.y
set monitor ''
set add-gw-route disable
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
end


110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end
[FirstName]
[FirstName]
PiEich

OK so new information: I need my packets to go out doing a NAT so in the rule, I have NAT active and selected an IP Pool.
Checking a sniffer packet, the NAT is not happening, so the packet goes with its real IP, therefore the Phase2 on the other side is "incorrect".

Now what I don't know is WHY the NAT is not being applied
config firewall policy
edit 79
set srcintf "any"
set dstintf "S2S"
set srcaddr "a.a.a.a"
set dstaddr "b.b.b.b"
set rtp-nat disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set utm-status disable
set logtraffic all
set logtraffic-start disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set label ''
set global-label ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set delay-tcp-npu-session disable
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool enable
set poolname "POOL_10.200.15.0-24"
next
end
config firewall ippool
edit "POOL_10.200.15.0-24"
set type overload
set startip 10.200.15.1
set endip 10.200.15.254
set arp-reply disable
set comments ''
next
end


Thank you!
TreyJ63
New Contributor

Do you have IPv4 policies and static routes for the traffic of interest?
PiEich
New Contributor

Yes, I do. In fact the tunnel works, but it is not applying the NAT I need in order to get to the other side as 10.200.15.x (please check my previous post). 


That was my Phase2 issue. Instead of getting to the other side with the natted addresses, they are going with the real ones. 


Why do I need to NAT? It was an acquisition, and the former IT brains were using public IP addresses for the entire LAN. Until we can change that, we need the VPN up with a private segment

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.