| Solution |
When IPSec VPN is implemented between FortiGate and a device that is not Fortinet-affiliated, issues may occur which do not happen if both devices are FortiGate devices.
The following is a list collated from past troubleshooting tickets:
- FortiGate and Cisco ASA.
If multiple subnets need to be protected by the VPN between FortiGate and Cisco ASA, do not combine the subnets under one phase2. Instead, split the subnets into one subnet per one phase2, on the FortiGate. See this section of the administration guide for more information.
-
FortiGate and Microsoft Azure.
- If instability/fluctuation issues are encountered on the VPN tunnel between FortiGate and Microsoft Azure, check if PFS (Perfect Forward Secrecy) is enabled on FortiGate (it is by default). Try disabling it and testing the tunnel again.
- If the 'SA proposal not match' error is encountered, set the key lifetime under phase2 on FortiGate to 27000.
- Configure the Dead Peer Detection to On Idle If the VPN between FortiGate and Microsoft Azure stops sending traffic when the Key Lifetime has reached out.
-
FortiGate and Sophos.
- Cases of intermittent traffic on the VPN between FortiGate and Sophos may be caused by an NPU drop on FortiGate. Disable NPU, then monitor and test again.
- In the case of a 'PAYLOAD-MALFORMED' error, check if PFS (Perfect Forward Secrecy) is enabled on FortiGate. If it is enabled, disable it and try again.
-
FortiGate and ZYXEL.
FortiGate may be unable to establish a VPN connection between itself and ZYXEL with phase1 down.
If a pre-shared key is used for the VPN between FortiGate and ZTXEL, ensure the length of the password is not too long. It can be reduced to 10 characters, for example: a length of 20 characters or more will not work.
-
FortiGate and a Huawei Firewall.
If the VPN between FortiGate and Huawei is not coming up, check if 'quick mode selectors' on phase2 is 0.0.0.0/0 on the FortiGate. If it is, change it to a custom selector (i.e. specific subnets).
-
FortiGate and a Stormshield Firewall.
StormShield does not support the use of 0.0.0.0/0.0.0.0 wildcard selector for the local/remote subnets hence needs to define the selector to tunnel come up or use dynamic routing to work it.
-
FortiGate and Oracle.
When an Oracle unit has multiple subnets configured, multiple phase 2 tunnels must be created on the FortiGate to allocate to each subnet (rather than having multiple subnets on one phase 2 tunnel).
The FortiGate uses the same SPI value to bring up the phase 2 negotiation for all of the subnets, while the Oracle expects different SPI values for each of its configured subnets. Using multiple phase 2 tunnels on the FortiGate creates different SPI values for each subnet.
- FortiGate and Google Cloud Platform.
In a Classic VPN tunnel configuration in GCP, if IKEv2 is used, it is possible to specify multiple CIDRs per traffic selector (encryption domains). Cloud VPN always uses a single Child Security Association (SA), regardless of the IKE version. The FortiGate side uses one Phase 2 per subnet configured in the IPSec VPN Tunnel.
- FortiGate and AWS Cloud Platform.
On FortiOS 7.4.2 and above, there is a new feature implemented for anti-spoofing for VPN. If there are multiple phase2 selectors configured on FortiGate, the user will encounter intermittent issues and see a mismatch selector error. For more details, refer to the following article: Troubleshooting Tip: FortiOS to AWS VPN Anti-Spoofing issue.
- FortiGate and Barracuda: There is an issue encountered when performing VPN between FortiOS and Barracuda, The error message is shown as a 'malformed message' when running the IKE debug and the tunnel cannot be established. The solution is to do some fine tune on Barracuda VPN settings:
- Set Yes to 'Restart SA on Close'.
- Disable 'IKE Reauthentication'.
Related document from Barracuda: Barracuda VPN
|
