Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kummyquat
New Contributor

Creating VPN between a PIX and a Fortinet

Here' s what we have. The Fortinet box seems to possibly get through Phase 1 but then get stuck on Phase 2. It' s very difficult to interpret what it' s doing or where it' s going wrong. I' m much more familiar with (my) PIX end and it too is extremely vague about where it' s not working. Can anyone tell me what we may be missing here? Here' s what we have on both sides. I' ve blacked out IP addresses and whatnot.
sysopt connection permit-ipsec
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
 crypto map outside_map 10 ipsec-isakmp
 crypto map outside_map 10 match address 85
 crypto map outside_map 10 set peer 10.x.x.x
 crypto map outside_map 10 set transform-set fortinet
 crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
 crypto map outside_map 20 ipsec-isakmp
 crypto map outside_map 20 match address 90
 crypto map outside_map 20 set peer 10.x.x.x
 crypto map outside_map 20 set transform-set ESP-3DES-SHA
 crypto map outside_map interface EPORT
 isakmp enable EPORT
 isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
 isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
 isakmp identity address
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption 3des
 isakmp policy 10 hash sha
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 isakmp policy 20 authentication pre-share
 isakmp policy 20 encryption 3des
 isakmp policy 20 hash sha
 isakmp policy 20 group 2
 isakmp policy 20 lifetime 28800
 
17 REPLIES 17
emnoc
Esteemed Contributor III

laslty is nat-t enable ? I have a hunch looking at the address your being NAT. e.g config t isakmp nat-traversal [natkeepalive value optionalhere] " i think it' s default to 60secs but it depends on ASA/PIX codeset iirc." let us know

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kummyquat
New Contributor

The tunnel to 10.28.0.227 (the one attacked to ACL 95) is working fine. I wouldn' t want to change the " nat (inside) 0 access-list 95" line then, would I? Isn' t that line already saying do not nat anything? I apologize, I' m a little confused here. I must admit I only barely know what I' m doing. I see nothing in the config concerning nat-traversal.
kummyquat
New Contributor

Oh wait. I' d want to NAT traffic to the 199 addresses but not to the 10. addresses. So I' d add: access-list nonat permit ip 10.74.33.0 255.255.255.0 10.0.0.0 255.0.0.0 nat (inside) 0 access-list nonat Right?
emnoc
Esteemed Contributor III

The tunnel to 10.28.0.227 (the one attacked to ACL 95) is working fine. I wouldn' t want to change the " nat (inside) 0 access-list 95" line then, would I? Isn' t that line already saying do not nat anything? I apologize, I' m a little confused here. I must admit I only barely know what I' m doing. I see nothing in the config concerning nat-traversal. < Message edited by kummyquat -- 2/10/2012 12:00:44 PM >  
ACL95 is a no-nat statement from posted configs. be caution if you really need to nat traffic from your lan segment Nat-t needs enabling if your being NAT' d. The cfg sample is posted earlier. And you really need to post the show crypto command output and the FGT diagnostic diag debug app ike 0 get vpn , etc.... btw, I know it' s probably redundant, but make sure your have fwpolicies in place and the correct route on the FGT. I figure I would point that out.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kummyquat
New Contributor

Doesn' t it make sense to worry about simply getting the tunnel itself working before worrying about how the traffic is going over it? I don' t have direct access to the FGT since it' s in another location so I' m not sure I can get you the diagnostic information from it. show crypto ipsec sa shows a lot of info about the working tunnel but nothing about this one.
 Crypto Map: " outside_map"  interfaces: { EPORT }
 
 Crypto Map " outside_map"  10 ipsec-isakmp
         Peer = 10.48.4.6
         access-list 85; 1 elements
         access-list 85 line 1 permit ip 10.74.33.0 255.255.255.0 host 199.38.8.88 (hitcnt=845)
         Current peer: 10.48.4.6
         Security association lifetime: 4608000 kilobytes/86400 seconds
         PFS (Y/N): N
         Transform sets={ fortinet, }
 
 Crypto Map " outside_map"  20 ipsec-isakmp
         Peer = 10.28.0.227
         access-list 90; 5 elements
         access-list 90 line 1 deny ip 10.74.33.0 255.255.255.0 10.49.202.0 255.255.255.0 (hitcnt=0)
         access-list 90 line 2 deny ip 10.74.33.0 255.255.255.0 10.67.75.0 255.255.255.0 (hitcnt=0)
         access-list 90 line 3 deny ip 10.74.33.0 255.255.255.0 10.66.64.0 255.255.255.0 (hitcnt=0)
         access-list 90 line 4 deny ip 10.74.33.0 255.255.255.0 10.71.56.0 255.255.255.0 (hitcnt=0)
         access-list 90 line 5 permit ip 10.74.33.0 255.255.255.0 any (hitcnt=22983538)
         Current peer: 10.28.0.227
         Security association lifetime: 4608000 kilobytes/28800 seconds
         PFS (Y/N): N
         Transform sets={ ESP-3DES-SHA, }
 
emnoc
Esteemed Contributor III

Doesn' t it make sense to worry about simply getting the tunnel itself working before worrying about how the traffic is going over it?  
Oh brother Yes, but if the interesting traffic is not being meet or match, than how in the world is the tunnel going to ever come active? The tunnel doesn' t magically just say, I' m going to be active, without some supporting traffic. A simple configuration error at the proxy_ip-address and your tunnel will be as flat a lake on a windless day. You still need the appropiate show crypto isakmp sa and ipsec sa output and you still need to ensure nat-t is enable if your being nat. Depending on PIX version, you might be able to run the packet tracer to see what' s happens to traffic destination to host 199.38.8.88 and if your even remote close to hitting your encryption policy. Outside of that, I' m out of suggestion and you will NEED to get them ( FGT ) & yourself, involved and run more diagnostics. Good luck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kummyquat
New Contributor

Help me understand whether I need to change any of these settings: access-list 95 permit ip 10.74.33.0 255.255.255.0 any nat (inside) 0 access-list 95 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 nat (EPORT) 10 0.0.0.0 0.0.0.0 0 0 isakmp nat-traversal 20 Is there any need to NAT between the 10.74.33.0 subnet and 199.38.8.0 one if going over the VPN? I' m a little hazy on that. If I do need to NAT between those subnets (and not the 10.74.33.0 -> 10.27.80.0 going over the other tunnel) how do I enable that?
patrickjburt
New Contributor

Nyc but the process is real complicated...

Labels
Top Kudoed Authors