Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

PiEich
New Contributor

Created on ‎05-12-2020 08:21 AM

VPN between 2 Fortigates not establishing

Hi everyone!
A simple IPSec site-to-site VPN which I was betting should be up after 5 minutes of configuration, is giving me headaches for 1 week now.

On one side 500E v6.0.9
On the other side 110C v5.2.9

500E config 
500E # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
 edit "S2S"
 set interface "port4"
 set keylife 28800
 set peertype any
 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
 set remote-gw x.x.x.x
 set psksecret ENC tAl7DoFRHysjGiH+Mb6ijjllKtjH42TkHJk80CnLDHVTqTw48xYMGbjTODRkr9lzWJJo6CXd3QupSglXQSA+5Gc4n/rvTu6AYeL81EH1yL2y/EtGNFvay4kGVs2yUnvsVY7mhWoIbqdLP0K0sp1Wkf3hxryCzarHM26GUZosZbt/ktewEOPPDprszWAqZePkUmPyXg==
 next
end

500E # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 set src-addr-type name
 set dst-addr-type name
 set keylifeseconds 3600
 set src-name "N-a.a.a.a"
 set dst-name "N-b.b.b.b"
 next
end


110C config
110C # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
 edit "S2S"
 set interface "wan2"
 set keylife 28800
 set remote-gw y.y.y.y
 set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
 next
end

110C # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set src-addr-type name
 set dst-addr-type name
 set keylifeseconds 3600
 set src-name "N-b.b.b.b"
 set dst-name "N-a.a.a.a"
 next
end

The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

When I try to bring up the tunnel, I get the "progress IPsec phase 2 failure" message and I don't know what else to do...
And even though I assume the Phase 1 is UP, I don't see the tunnel UP nor the messages for Phase 1 in the log.

All help, welcome. Thanks!

UploadedImages_dnfkMZ8ZSh2u0EasK609_VPN.png
Labels:
751
0 Kudos
8 REPLIES 8
FernPatz
New Contributor II

Created on ‎05-12-2020 08:47 AM

Hi I saw that you didn´t put the criptography proposal on phase1 and phase2 of 110C IPSec config.
[FirstName]
[FirstName]
714
0 Kudos
PiEich
New Contributor
In response to FernPatz

Created on ‎05-12-2020 08:51 AM

Hi Fernando,
I put this below the config:

The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

If you or anyone has an idea why that can happen... Welcome
714
0 Kudos
FernPatz
New Contributor II

Created on ‎05-12-2020 08:57 AM

Try this in both fortigates. With this you will see all config of IPSec vpns and you will can verify all parameters.

# conf vpn ipsec phase1-interface
# edit S2S
# show full-configuration
# end
# conf vpn ipsec phase2-interface
# edit S2S
# show full-configuration

​​​​​​
[FirstName]
[FirstName]
714
0 Kudos
PiEich
New Contributor
In response to FernPatz

Created on ‎05-12-2020 09:13 AM

Excellent, now I have this:

500E 
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
 edit "S2S"
 set type static
 set interface "port4"
 set ip-version 4
 set ike-version 1
 set local-gw 0.0.0.0
 set keylife 28800
 set authmethod psk
 set mode main
 set peertype any
 set passive-mode disable
 set exchange-interface-ip disable
 set mode-cfg disable
 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
 set localid ''
 set localid-type auto
 set auto-negotiate enable
 set negotiate-timeout 30
 set fragmentation enable
 set dpd on-demand
 set forticlient-enforcement disable
 set npu-offload enable
 set dhgrp 14 5
 set suite-b disable
 set wizard-type custom
 set xauthtype disable
 set mesh-selector-type disable
 set idle-timeout disable
 set ha-sync-esp-seqno enable
 set auto-discovery-sender disable
 set auto-discovery-receiver disable
 set auto-discovery-forwarder disable
 set encapsulation none
 set nattraversal enable
 set rekey enable
 set remote-gw x.x.x.x
 set monitor ''
 set add-gw-route disable
 set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
 set keepalive 10
 set dpd-retrycount 3
 set dpd-retryinterval 20
 next
end


500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 set pfs enable
 set dhgrp 14 5
 set replay enable
 set keepalive disable
 set auto-negotiate disable
 set auto-discovery-sender phase1
 set auto-discovery-forwarder phase1
 set keylife-type seconds
 set encapsulation tunnel-mode
 set protocol 0
 set src-addr-type name
 set src-port 0
 set dst-addr-type name
 set dst-port 0
 set keylifeseconds 3600
 set src-name "N-a.a.a.a"
 set dst-name "N-b.b.b.b"
 next
end

110C 
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
 edit "S2S"
 set type static
 set interface "wan2"
 set ip-version 4
 set ike-version 1
 set local-gw 0.0.0.0
 set nattraversal enable
 set keylife 28800
 set authmethod psk
 set mode main
 set peertype any
 set mode-cfg disable
 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
 set localid ''
 set localid-type auto
 set negotiate-timeout 30
 set fragmentation enable
 set dpd enable
 set forticlient-enforcement disable
 set npu-offload enable
 set dhgrp 14 5
 set wizard-type custom
 set xauthtype disable
 set mesh-selector-type disable
 set remote-gw y.y.y.y
 set monitor ''
 set add-gw-route disable
 set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
 set keepalive 10
 set auto-negotiate enable
 set dpd-retrycount 3
 set dpd-retryinterval 5
 next
end


110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 set pfs enable
 set dhgrp 14 5
 set replay enable
 set keepalive disable
 set auto-negotiate disable
 set keylife-type seconds
 set encapsulation tunnel-mode
 set protocol 0
 set src-addr-type name
 set src-port 0
 set dst-addr-type name
 set dst-port 0
 set keylifeseconds 3600
 set src-name "N-b.b.b.b"
 set dst-name "N-a.a.a.a"
 next
end
714
0 Kudos
FernPatz
New Contributor II
In response to PiEich

Created on ‎05-12-2020 09:27 AM

Considering that:
- psk secret is the same in both fortigates;
- the interfaces that you are establishing the ipsec vpn it´s correct;
- the src-addr and dst-address was correct (remember that you need to invert in one of fortigates);

Now you need to enable a syslog and send the information to syslog to see whats wrong.
You can use this commando to verify 
diagnose vpn tunnel list name <Phase 1 name>

- diagnose debug application ike -1
- diagnose debug enable

to disable
- diagnose debug enable
- - -
Fernando Patzlaff
patzlaff@gmail.com


------Original Message------

Excellent, now I have this:

500E 
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
 edit "S2S"
 set type static
 set interface "port4"
 set ip-version 4
 set ike-version 1
 set local-gw 0.0.0.0
 set keylife 28800
 set authmethod psk
 set mode main
 set peertype any
 set passive-mode disable
 set exchange-interface-ip disable
 set mode-cfg disable
 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
 set localid ''
 set localid-type auto
 set auto-negotiate enable
 set negotiate-timeout 30
 set fragmentation enable
 set dpd on-demand
 set forticlient-enforcement disable
 set npu-offload enable
 set dhgrp 14 5
 set suite-b disable
 set wizard-type custom
 set xauthtype disable
 set mesh-selector-type disable
 set idle-timeout disable
 set ha-sync-esp-seqno enable
 set auto-discovery-sender disable
 set auto-discovery-receiver disable
 set auto-discovery-forwarder disable
 set encapsulation none
 set nattraversal enable
 set rekey enable
 set remote-gw x.x.x.x
 set monitor ''
 set add-gw-route disable
 set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
 set keepalive 10
 set dpd-retrycount 3
 set dpd-retryinterval 20
 next
end


500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 set pfs enable
 set dhgrp 14 5
 set replay enable
 set keepalive disable
 set auto-negotiate disable
 set auto-discovery-sender phase1
 set auto-discovery-forwarder phase1
 set keylife-type seconds
 set encapsulation tunnel-mode
 set protocol 0
 set src-addr-type name
 set src-port 0
 set dst-addr-type name
 set dst-port 0
 set keylifeseconds 3600
 set src-name "N-a.a.a.a"
 set dst-name "N-b.b.b.b"
 next
end

110C 
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
 edit "S2S"
 set type static
 set interface "wan2"
 set ip-version 4
 set ike-version 1
 set local-gw 0.0.0.0
 set nattraversal enable
 set keylife 28800
 set authmethod psk
 set mode main
 set peertype any
 set mode-cfg disable
 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
 set localid ''
 set localid-type auto
 set negotiate-timeout 30
 set fragmentation enable
 set dpd enable
 set forticlient-enforcement disable
 set npu-offload enable
 set dhgrp 14 5
 set wizard-type custom
 set xauthtype disable
 set mesh-selector-type disable
 set remote-gw y.y.y.y
 set monitor ''
 set add-gw-route disable
 set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
 set keepalive 10
 set auto-negotiate enable
 set dpd-retrycount 3
 set dpd-retryinterval 5
 next
end


110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
 edit "S2S"
 set phase1name "S2S"
 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 set pfs enable
 set dhgrp 14 5
 set replay enable
 set keepalive disable
 set auto-negotiate disable
 set keylife-type seconds
 set encapsulation tunnel-mode
 set protocol 0
 set src-addr-type name
 set src-port 0
 set dst-addr-type name
 set dst-port 0
 set keylifeseconds 3600
 set src-name "N-b.b.b.b"
 set dst-name "N-a.a.a.a"
 next
end
[FirstName]
[FirstName]
714
0 Kudos
PiEich
New Contributor
In response to FernPatz

Created on ‎05-12-2020 10:08 AM

OK so new information: I need my packets to go out doing a NAT so in the rule, I have NAT active and selected an IP Pool.
Checking a sniffer packet, the NAT is not happening, so the packet goes with its real IP, therefore the Phase2 on the other side is "incorrect".

Now what I don't know is WHY the NAT is not being applied
config firewall policy
 edit 79
 set srcintf "any"
 set dstintf "S2S"
 set srcaddr "a.a.a.a"
 set dstaddr "b.b.b.b"
 set rtp-nat disable
 set action accept
 set status enable
 set schedule "always"
 set schedule-timeout disable
 set service "ALL"
 set utm-status disable
 set logtraffic all
 set logtraffic-start disable
 set session-ttl 0
 set vlan-cos-fwd 255
 set vlan-cos-rev 255
 set wccp disable
 set disclaimer disable
 set natip 0.0.0.0 0.0.0.0
 set match-vip disable
 set diffserv-forward disable
 set diffserv-reverse disable
 set tcp-mss-sender 0
 set tcp-mss-receiver 0
 set label ''
 set global-label ''
 set block-notification disable
 set replacemsg-override-group ''
 set srcaddr-negate disable
 set dstaddr-negate disable
 set service-negate disable
 set timeout-send-rst disable
 set captive-portal-exempt disable
 set delay-tcp-npu-session disable
 set traffic-shaper ''
 set traffic-shaper-reverse ''
 set per-ip-shaper ''
 set nat enable
 set permit-any-host disable
 set permit-stun-host disable
 set fixedport disable
 set ippool enable
 set poolname "POOL_10.200.15.0-24"
 next
end
config firewall ippool
 edit "POOL_10.200.15.0-24"
 set type overload
 set startip 10.200.15.1
 set endip 10.200.15.254
 set arp-reply disable
 set comments ''
 next
end


Thank you!
714
0 Kudos
TreyJ63
New Contributor

Created on ‎05-12-2020 11:56 AM

Do you have IPv4 policies and static routes for the traffic of interest?
714
0 Kudos
PiEich
New Contributor
In response to TreyJ63

Created on ‎05-12-2020 09:22 PM

Yes, I do. In fact the tunnel works, but it is not applying the NAT I need in order to get to the other side as 10.200.15.x (please check my previous post). 


That was my Phase2 issue. Instead of getting to the other side with the natted addresses, they are going with the real ones. 


Why do I need to NAT? It was an acquisition, and the former IT brains were using public IP addresses for the entire LAN. Until we can change that, we need the VPN up with a private segment

714
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.