I configured a ikev1 tunnel between Cisco IOS and Fortigate.
The tunnel comes up but communication only works after a client of the remote site (cisco) initiated some traffic.
As you can see in the Fortigate capture, the packet to 10.183.2.1 is sent into the tunnel IPsec tunnel-1.2.3.62 which is the correct tunnel.
The capture on the cisco router shows nothing until I start a ping.
The exact same configuration works with other remote router i tested like pfsense and a linux based system also using policy based vpn.
----------------------------------------------------------------------
Cisco configuration
----------------------------------------------------------------------
!
crypto isakmp policy 9
encryption aes 256
authentication pre-share
group 14
lifetime 28800
crypto isakmp key ****** address 1.2.3.36 no-xauth
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 15
!
crypto ipsec transform-set AES256-SHA1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map IPSECMAP 9 ipsec-isakmp
set peer 1.2.3.36
set transform-set AES256-SHA1
set pfs group14
match address 191
qos pre-classify
!
interface GigabitEthernet1
description *** wan ***
ip address 1.2.3.62 255.255.255.224
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map IPSECMAP
!
ip nat inside source list 180 interface GigabitEthernet1 overload
!
ip access-list extended 180
10 deny ip 10.183.2.0 0.0.0.255 100.64.0.0 0.0.0.7
20 deny ip 10.183.2.0 0.0.0.255 10.199.1.0 0.0.0.255
30 deny ip 10.183.2.0 0.0.0.255 172.18.0.0 0.0.255.255
40 deny ip 10.183.2.0 0.0.0.255 192.168.201.72 0.0.0.7
50 permit ip 10.183.2.0 0.0.0.255 any
!
ip access-list extended 191
10 permit ip 10.183.2.0 0.0.0.255 172.18.0.0 0.0.255.255
20 permit ip 10.183.2.0 0.0.0.255 192.168.201.72 0.0.0.7
30 permit ip 10.183.2.0 0.0.0.255 100.64.0.0 0.0.0.7
!
----------------------------------------------------------------------
Fortigate configuration
----------------------------------------------------------------------
Fortigate # show vpn ipsec phase1-interface 1.2.3.62
config vpn ipsec phase1-interface
edit "1.2.3.62"
set interface "port1"
set local-gw 1.2.3.36
set keylife 28800
set peertype any
set net-device disable
set proposal aes256-sha1
set localid "1.2.3.36"
set localid-type address
set dhgrp 14
set remote-gw 1.2.3.62
set psksecret ENC ******
set keepalive 20
next
end
Fortigate # show vpn ipsec phase2-interface 1.2.3.62
config vpn ipsec phase2-interface
edit "1.2.3.62"
set phase1name "1.2.3.62"
set proposal aes256-sha1
set dhgrp 14
set auto-negotiate enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "SN_local-lan"
set dst-name "SN_remote-lan"
next
end
Fortigate # show router static 421
config router static
edit 421
set device "1.2.3.62"
set dstaddr "SN_remote-lan"
next
end
----------------------------------------------------------------------
Fortigate Capture when trying to initiate traffic from
forti site to remote after tunnel was down
----------------------------------------------------------------------
id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 172.18.96.201:111->10.183.2.1:2048) from port9.717. type=8, code=0, id=111, seq=1."
id=20085 trace_id=1 func=init_ip_session_common line=5995 msg="allocate a new session-00008443"
id=20085 trace_id=1 func=iprope_dnat_check line=5058 msg="in-[port9.717], out-[]"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.183.2.1 via 1.2.3.62"
id=20085 trace_id=1 func=get_new_addr line=1194 msg="find SNAT: IP-10.9.0.254(from IPPOOL), port-60527"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2175 msg="policy-572 is matched, act-accept"
id=20085 trace_id=1 func=iprope_reverse_dnat_check line=1270 msg="in-[port9.717], out-[1.2.3.62], skb_flags-02000000, vid-0"
id=20085 trace_id=1 func=fw_snat_check line=509 msg="NAT disabled by central SNAT policy!"
id=20085 trace_id=1 func=fw_forward_handler line=808 msg="Allowed by Policy-572:"
id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=790 msg="enter IPsec interface-1.2.3.62"
id=20085 trace_id=1 func=_ipsecdev_hard_start_xmit line=667 msg="IPsec tunnel-1.2.3.62"
Solved! Go to Solution.
I identified the problem...
I was using group address objects in fortigates phase2-interface local and remote network which is supported according to Fortigates support. But, some other routers on the remote site do not support this. Fortigate Support has now added this note to their documentation.
https://docs.fortinet.com/document/fortigate/6.4.11/administration-guide/604285
I had to split and create a phase2-interface per remote or local subnet.
Although the cisco router actually showed both networks in the ipsec session of the tunnel.
Hi sidp
You can try mesh-selector-type subnet instead. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-creation-of-IPsec-tunnels-IKEv1-dy... for more information.
Hi sidp
If the tunnel is not up, you should do ike debug instead of debug flow. Since FGT act as initiator in this case, probably you will need to enable ike debug on the Cisco side when FGT generate traffic towards Cisco side to see why tunnel is not up.
Hi ESCHAN_FTNT,
The tunnel is up (P1 & P2) and also comes up automatically after I reboot the router.
I identified the problem...
I was using group address objects in fortigates phase2-interface local and remote network which is supported according to Fortigates support. But, some other routers on the remote site do not support this. Fortigate Support has now added this note to their documentation.
https://docs.fortinet.com/document/fortigate/6.4.11/administration-guide/604285
I had to split and create a phase2-interface per remote or local subnet.
Although the cisco router actually showed both networks in the ipsec session of the tunnel.
Hi sidp
You can try mesh-selector-type subnet instead. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-creation-of-IPsec-tunnels-IKEv1-dy... for more information.
Do you know a way how to configure that also with dynamic (Dialup) IKEv1 and static IKEv2 vpns?
The "set mesh-selector-type subnet" option is only available in static IKEv1 configurations....
Just for the record.
The following article says that this option is only available with IKEv1 so we had to create a phase2-interface per subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.