Hi Gurus,
I have basic question to ask.
I am trying to establish a Site to Site VPN. It's Between an ASA which is connected behind Fortigate and another remote ASA. I have given required policies in fortigate. But Tunnel is not coming up.
When I do a sniffer packet with remote peer IP, I cannot see any hits on the firewall.
Question
1. If my side ASA S2S parameters are correct ( or any proposal) even though the remote peer is not reachable the ASA should generate UDP 500 ( or protocol-50) and it should hit and drop on the Fortigate , Am I right on this point?
Thanks in advance.
Nihas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.
I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.
I thought the IKE can generate the traffic by it's own.
Thanks
Nihas wrote:Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.
I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.
I thought the IKE can generate the traffic by it's own.
Thanks
I am glad you picked it up; you are using Fortigate on Transparent or NAT mode? If NAT can you detail the FW rule on Fortigate that allows VPN access for the local ASA?
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Hi Laf,
The fortigate is running on Router Mode (NAT).
I have few ASA's connected behind the Fortigate, and I have assigned routable public IP's to their legs.
I have pointed the routes towards the Fortigate. (ie, For ASA's the next hope is Fortigate for the internet destinations)
And in Fortigate I have given policies like
Source -- ASA Leg IP( Public IP ) --- Policy for Initiator
Interface -- IN
Destination - Remote Peer IP
Interface -- OUT
Service -- UDP-500, UDP-4500
NAT - Disabled
A Reverse policy is required if the ASA wants to receive the IKE packets from the Remote peer and act as an Responder.
Thanks
Nihas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.