Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Guizado
New Contributor

VPN to Cisco, Initiation from one side only??

Hello everyone,

 

i might need some help here as I think there might be some sort of bug.

 

So I was doing a Interface mode IPSec VPN connection to a Cisco ASA, everything was fine, VPN came up, Policies are set both ways to the Tunnel interface, Static routes are there.

 

If i try to initiate the connection from my end (Ping from one host to another host on both encryption domains) I see the packets going through the policy, and the other end sees the packet, but the Cisco firewall reports a mismatch of some sort, so the packets are getting encrypted and sent over the tunnel but it stops there.

 

Now if the connection is initiated from the Cisco side, and then I try that Ping again now everything works, so there isnt any Routing issues or policy issues, otherwise it would not work just by having the Cisco to establish the encryption domain between those specific subnets.

 

So now the strange part, this VPN is done with a Local and Remote Subnet set on the Phase2 on the VPN config as an Address Group, as there are 4 subnets on each side that need to use the VPN.

Now if I remove the group, and just add 1 subnet from each side by typing the IP address (10.10.10.0/24) as an example on both local and remote section of the Phase2 VPN connection, I send the tunnel down, I bring it back up and it works fine.

SO the problem seems to be I cannot use Group objects, but there isnt any way for me to add 4 different subnets by actually typing the address instead of using and Address object.

 

Anyone has any solutions for this?

 

Many Thanks

3 REPLIES 3
Guizado
New Contributor

hmmm I have just seen the Phase2 selectors, does that mean if I have 4 local subnets and 4 remote subnets I will need 16 Phase2 selections?

That surely cant be right.

emnoc
Esteemed Contributor III

No you  can add 4x  ph2 selectors. Try with the  "ip address" 1st and then work to address-group. I seen the exact same issuesin v5.6.3  where  fw.addr.obj gave issues but if you set a actually  address it works.

 

 

e.g

 

config vpn ipsec phase2-interface

    edit ph2_1

           set phase1 name  blahblah

            set src-subnet 10.10.0.0/24

            set dst-subnet 1.1.1.0/24

     next

      edit ph2_2

           set phase1 name  blahblah

            set src-subnet 10.10.0.0/24

            set dst-subnet 1.1.2.0/24

     next

   and so on...

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

Guizado
New Contributor

this is good news at least there is a fix, but because I have 4 Subnets on one side that need to be able to comunicate with the other 4, this originates 16 different combinations where it goes:

 

Local1 -- Remote1

Local1 -- Remote2

Loca1 -- Remote3

Local1 -- Remote4

 

Local2 -- Remote1

Local2 -- Remote2

Local2 -- Remote3

Local2 -- Remote4

 

an so on, i mean its not a problem its just seems too much clutter on the config to get around a problem that shouldnt be there.

 

Many Thanks