Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nihas
New Contributor

Basic IPSEC VPN Question

Hi Gurus,

I have basic question to ask.

 

I am trying to establish a Site to Site VPN. It's  Between an ASA which is connected behind Fortigate and another remote ASA. I have given required policies in fortigate. But Tunnel is not coming up.

When I do a sniffer packet with remote peer IP, I cannot see any hits on the firewall.

 

Question

1. If my side ASA S2S parameters are correct ( or any proposal) even though the remote peer is not reachable the ASA should generate UDP 500 ( or protocol-50) and it should hit and drop on the Fortigate , Am I right on this point? 

 

 

Thanks in advance.

Nihas

 

 

 

 

 

 

 

 

 

 

Nihas [\b]
Nihas [\b]
3 REPLIES 3
Nihas
New Contributor

Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.

I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.

I thought the IKE can generate the traffic by it's own. 

Thanks 

 

Nihas [\b]
Nihas [\b]
laf
New Contributor II

Nihas wrote:

Sorry Guys. I was wrong in my concepts. Find out the reason why traffic is not hitting on Fortigate.

I had to initiate the interesting traffic from ASA to sniff the packet in Fortigate.

I thought the IKE can generate the traffic by it's own. 

Thanks 

 

I am glad you picked it up; you are using Fortigate on Transparent or NAT mode? If NAT can you detail the FW rule on Fortigate that allows VPN access for the local ASA?

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Nihas
New Contributor

Hi Laf,

The fortigate is running on Router Mode (NAT).

 

I have few ASA's connected behind the Fortigate, and I have assigned routable public IP's to their legs. 

 I have pointed the routes towards the Fortigate. (ie, For ASA's the next hope is Fortigate for the internet destinations)

And in Fortigate I have given policies like 

Source -- ASA Leg IP( Public IP )  --- Policy for Initiator

Interface -- IN

Destination - Remote Peer IP 

Interface -- OUT 

Service -- UDP-500, UDP-4500  

NAT - Disabled 

A Reverse policy is required if the ASA wants to receive the IKE packets from the Remote peer and act as an Responder.

 

Thanks

Nihas

Nihas [\b]
Nihas [\b]
Top Kudoed Authors