Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brady_R__Houser
New Contributor

Created on ‎01-21-2016 05:20 PM

StorageCraft Cloud VPN

I wondered if anyone had successfully been able to setup a VPN to the StorageCraft Cloud.  They list the VPN requirements as:

Phase 1 settings:

OptionSettingAuthentication MethodMutual PSKIdentifierIP address of the External WAN IP addressPeer identifierPublic IP address assigned to the cloud firewallShared Key:Set in the cloud user interfaceEncryption Method3DESHash AlgorithmSHA1DH Key group2 (1024 bit)

 

Note: You may need to change other IPsec settings during the configuration process depending on your network and network settings.

Phase 2 settings: 

OptionSettingRemote networkSet in the StorageCraft cloud user interface.ProtocolESPSupported Encryption AlgorithmsAES, Blowfish, 3DES, CAST128Supported Hash AlgorithmsMD5, SHA1, SHA256, SHA512PFS key groupoff

 

Which seems to be missing a few config options when I go to set it up on my Fortigate.

 

I thought I would set it up as per a Cisco ASA standard but haven't had any luck so far.

 

My config on 5.2.5 is 

config vpn ipsec phase1-interface edit "SCCloud-VPN" set interface "wan1" set nattraversal disable set mode aggressive set peertype one set proposal 3des-sha1 set dpd disable set dhgrp 2 set remote-gw 192.41.52.226 set peerid "192.41.52.226" set psksecret ENC IHRvb/N+voLb44Ptr3gVqtzK1+EM3yXBTqPjpwxgpeBRnRqE19U+U/VT2HOAgeaUj6Ya+IDa3m5loj+LcEcVlX6bgP7njFZVoBHmb6nPXFIhulIaEI/ZhbLDdgrnQNVaSZLKuA3TiZc6Xb5NuAstv+Pc3jOdcZuRo9UErMHvHhJw/Fec1rFsEYYQZ3a1ZThYgDObww== next end config vpn ipsec phase2-interface edit "SCCloud-VPN" set phase1name "SCCloud-VPN" set proposal 3des-sha1 set pfs disable set replay disable set keepalive enable set auto-negotiate enable set src-subnet 192.168.10.0 255.255.255.0 set dst-subnet 192.168.220.0 255.255.255.0 next end

 

The debug looks like:  I replaced my public IP with x.x.x.x

ike 0:SCCloud-VPN: deleting ike 0:SCCloud-VPN: flushing ike 0:SCCloud-VPN: flushed ike 0:SCCloud-VPN: deleted ike 0:SCCloud-VPN: schedule auto-negotiate ike config update start ike 0:SCCloud-VPN: schedule auto-negotiate ike config update done ike 0: cache rebuild start ike 0:SCCloud-VPN: cached as static-ddns ike 0:_BOOTSTRAP5_: failed to set local gateway to x.x.x.x: 2 No such file or directory ike 0:_BOOTSTRAP5_: cached as dynamic ike 0: cache rebuild done ike 0:SCCloud-VPN: auto-negotiate connection ike 0:SCCloud-VPN: created connection: 0x2467cf0 5 x.x.x.x->192.41.52.226:500. ike 0:SCCloud-VPN:160: initiator: aggressive mode is sending 1st message... ike 0:SCCloud-VPN:160: cookie 3f2fd4c8da10b3d7/0000000000000000 ike 0:SCCloud-VPN:160: out 3F2FD4C8DA10B3D7000000000000000001100400000000000000014C0400003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020A000084867A3D0D0116F82342439C7873802A59F048C94F6F375B1A13F31383F6E8D54DAF89EA08D3411CF3FE7848A7C4DA670BB67674B237AB5E7127004782F2B56066CA8D83ACC873ABF36F04DB08BCF26BBFC15C2484921E6AD9297DD2AE7E0B322E93CB08FCC3EC91A805C3A24E9F59B6BD58888C2D2B62FB712CFD11D01AECFCAE050000141B0A21059CFBE1A35BE1B9F441213AA70D00000C01000000626FF0020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD ike 0:SCCloud-VPN:160: sent IKE msg (agg_i1send): x.x.x.x:500->192.41.52.226:500, len=332, id=3f2fd4c8da10b3d7/0000000000000000 ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:500 negotiating ike 0:SCCloud-VPN:160:SCCloud-VPN:115: ISAKMP SA still negotiating, queuing quick-mode request ike 0:SCCloud-VPN:160: out 3F2FD4C8DA10B3D7000000000000000001100400000000000000014C0400003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020A000084867A3D0D0116F82342439C7873802A59F048C94F6F375B1A13F31383F6E8D54DAF89EA08D3411CF3FE7848A7C4DA670BB67674B237AB5E7127004782F2B56066CA8D83ACC873ABF36F04DB08BCF26BBFC15C2484921E6AD9297DD2AE7E0B322E93CB08FCC3EC91A805C3A24E9F59B6BD58888C2D2B62FB712CFD11D01AECFCAE050000141B0A21059CFBE1A35BE1B9F441213AA70D00000C01000000626FF0020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD ike 0:SCCloud-VPN:160: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->192.41.52.226:500, len=332, id=3f2fd4c8da10b3d7/0000000000000000 ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN: request is on the queue ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN: request is on the queue ike 0:SCCloud-VPN:160: out 3F2FD4C8DA10B3D7000000000000000001100400000000000000014C0400003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020A000084867A3D0D0116F82342439C7873802A59F048C94F6F375B1A13F31383F6E8D54DAF89EA08D3411CF3FE7848A7C4DA670BB67674B237AB5E7127004782F2B56066CA8D83ACC873ABF36F04DB08BCF26BBFC15C2484921E6AD9297DD2AE7E0B322E93CB08FCC3EC91A805C3A24E9F59B6BD58888C2D2B62FB712CFD11D01AECFCAE050000141B0A21059CFBE1A35BE1B9F441213AA70D00000C01000000626FF0020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD ike 0:SCCloud-VPN:160: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->192.41.52.226:500, len=332, id=3f2fd4c8da10b3d7/0000000000000000 ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN: request is on the queue ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN: request is on the queue ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN: request is on the queue ike 0:SCCloud-VPN:160: negotiation timeout, deleting ike 0:SCCloud-VPN: connection expiring due to phase1 down ike 0:SCCloud-VPN: deleting ike 0:SCCloud-VPN: flushing ike 0:SCCloud-VPN: flushed ike 0:SCCloud-VPN: deleted ike 0:SCCloud-VPN: schedule auto-negotiate ike 0:SCCloud-VPN: auto-negotiate connection ike 0:SCCloud-VPN: created connection: 0x2467cf0 5 x.x.x.x->192.41.52.226:500. ike 0:SCCloud-VPN:161: initiator: aggressive mode is sending 1st message... ike 0:SCCloud-VPN:161: cookie 9a80b9cba4544ff5/0000000000000000 ike 0:SCCloud-VPN:161: out 9A80B9CBA4544FF5000000000000000001100400000000000000014C0400003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020A00008486BED24CD0A773A9D4F2151FE2C08AB2D2C16F3C9B82F41CA52CD4999C8539C06494360C54BF90E5E89673FA354DDB0C1341FAB30D6C0EF960DCFA6C48887D5A5D4FAB2404FB426E3FCA496DB2CFDCA656D4439102ED781634B0EB2FDA3D05FE3A4E4BA7A5BAA539FFAE98D873FE31AF015C85875E7517D4766715151B31D2A005000014B564E08BB8AD4E7441EB58B5C8A9FB8B0D00000C01000000626FF0020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD ike 0:SCCloud-VPN:161: sent IKE msg (agg_i1send): x.x.x.x:500->192.41.52.226:500, len=332, id=9a80b9cba4544ff5/0000000000000000 diagnose ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:0 ike 0:SCCloud-VPN:SCCloud-VPN: using existing connection ike 0:SCCloud-VPN:SCCloud-VPN: config found ike 0:SCCloud-VPN:SCCloud-VPN: IPsec SA connect 5 x.x.x.x->192.41.52.226:500 negotiating ike 0:SCCloud-VPN:161:SCCloud-VPN:116: ISAKMP SA still negotiating, queuing quick-mode request

Labels:
4091
0 Kudos
1 REPLY 1
Brady_R__Houser
New Contributor

Created on ‎07-07-2016 12:10 PM

After putting off getting this up and running I've finally decoded the setup.

 

The key was disabling the peer id.  When I removed it the VPN tunnel came up and started to work correctly.

 

config vpn ipsec phase1-interface edit "SCCloud-VPN" set interface "wan1" set nattraversal disable set keylife 28800 set proposal 3des-sha1 set dpd disable set dhgrp 2 set remote-gw 192.41.52.226 set psksecret ENC <encrypted PSK> next end config vpn ipsec phase2-interface edit "SCloud-VPN-P2" set phase1name "SCCloud-VPN" set proposal 3des-sha1 set pfs disable set replay disable set keepalive enable set auto-negotiate enable set keylifeseconds 28800 set src-subnet 192.168.10.0 255.255.255.0 set dst-subnet 192.168.220.0 255.255.255.0 next end

979
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.