- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basic IPSEC VPN Question
Hi Gurus,
I have basic question to ask.
I am trying to establish a Site to Site VPN. It's Between an ASA which is connected behind Fortigate and another remote ASA. I have given required policies in fortigate. But Tunnel is not coming up.
When I do a sniffer packet with remote peer IP, I cannot see any hits on the firewall.
Question
1. If my side ASA S2S parameters are correct ( or any proposal) even though the remote peer is not reachable the ASA should generate UDP 500 ( or protocol-50) and it should hit and drop on the Fortigate , Am I right on this point?
Thanks in advance.
Nihas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.
I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.
I thought the IKE can generate the traffic by it's own.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nihas wrote:Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.
I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.
I thought the IKE can generate the traffic by it's own.
Thanks
I am glad you picked it up; you are using Fortigate on Transparent or NAT mode? If NAT can you detail the FW rule on Fortigate that allows VPN access for the local ASA?
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Laf,
The fortigate is running on Router Mode (NAT).
I have few ASA's connected behind the Fortigate, and I have assigned routable public IP's to their legs.
I have pointed the routes towards the Fortigate. (ie, For ASA's the next hope is Fortigate for the internet destinations)
And in Fortigate I have given policies like
Source -- ASA Leg IP( Public IP ) --- Policy for Initiator
Interface -- IN
Destination - Remote Peer IP
Interface -- OUT
Service -- UDP-500, UDP-4500
NAT - Disabled
A Reverse policy is required if the ASA wants to receive the IKE packets from the Remote peer and act as an Responder.
Thanks
Nihas