Dear colleagues,
Do someone have working solution for the topology like this: multiple Cisco routers(dynamic WAN IP) -> IPsec tunnel(aggressive mode) -> FortiGate(static WAN IP, Dialup user IPsec VPN gateway aggressive mode) ?
I`ve tried some combinations of configuration on Cisco router but find only one working solution with Dialup user main mode IPsec.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I`ve found the solution finally. But now I`m facing a new issue: OSPF doesn`t bring up.
I am using Dial Up user IPsec VPN with aggressive mode. Also I have cofigured static addresses for tunnel interfaces on FortiGate and on Cisco router. This config is for test environment. Aggressive mode + Dialup user is customers requirements so I can`t stand back from it.
Configuratons are following:
=================================Cisco========================== ! crypto keyring KEYR1 pre-shared-key address 192.168.70.201 key aq1sw2de3 ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp profile ISAKMP_PROF keyring KEYR1 self-identity user-fqdn hub-cisco match identity address 192.168.70.201 255.255.255.0 initiate mode aggressive ! ! crypto ipsec transform-set TEST-SET esp-3des esp-md5-hmac mode tunnel ! ! crypto ipsec profile TEST-PROFILE set transform-set TEST-SET set pfs group2 set isakmp-profile ISAKMP_PROF ! interface Tunnel0 ip address 10.0.100.2 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 192.168.70.201 tunnel protection ipsec profile TEST-PROFILE end ! interface GigabitEthernet1 ip address 192.168.70.216 255.255.255.0 negotiation auto ! ! router ospf 10 router-id 10.0.201.3 passive-interface GigabitEthernet2 network 10.0.100.0 0.0.0.3 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.70.1 !
======================FG================================ config vpn ipsec phase1-interface edit "agg-to-ISR" set type dynamic set interface "port10" set nattraversal disable set mode aggressive set peertype one set proposal 3des-md5 set add-route disable set dpd disable set dhgrp 2 set peerid "hub-cisco" set psksecret ENC *** next config vpn ipsec phase2-interface edit "agg-to-ISR" set phase1name "agg-to-ISR" set proposal 3des-md5 set dhgrp 2 next end config system interface edit "port10" set vdom "root" set ip 192.168.70.201 255.255.255.0 set allowaccess ping https ssh fgfm capwap set type physical set alias "wan1-LOCAL-DHCP" set device-identification enable set snmp-index 10 next edit "agg-to-ISR" set vdom "root" set ip 10.0.100.1 255.255.255.255 set allowaccess ping https ssh set l2forward enable set type tunnel set remote-ip 10.0.100.2 set snmp-index 14 set interface "port10" next config firewall policy edit 10 set srcintf "agg-to-ISR" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 15 set srcintf "any" set dstintf "agg-to-ISR" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next config router ospf set default-information-originate enable set router-id 10.0.201.1 config area edit 0.0.0.0 next end config ospf-interface edit "agg-to-ISR" set interface "agg-to-ISR" set mtu-ignore enable set network-type point-to-point next end config network edit 3 set prefix 10.0.100.0 255.255.255.252 next edit 6 set prefix 172.16.0.0 255.255.255.0 #using it for another router next end config redistribute "connected" set status enable end config redistribute "static" set status enable end config redistribute "rip" end config redistribute "bgp" end config redistribute "isis" end end
There is following output for OSPF debug on fortigate:
# get router info ospf interface
agg-to-ISR is down, line protocol is down
Internet Address 10.0.100.1/32, Area 0.0.0.0, MTU 1500
Process ID 0, Router ID 10.0.201.1, Network Type POINTOPOINT, Cost: 0
Transmit Delay is 1 sec, State Down
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
# exec ping 10.0.100.2
PING 10.0.100.2 (10.0.100.2): 56 data bytes
64 bytes from 10.0.100.2: icmp_seq=0 ttl=255 time=2.7 ms
64 bytes from 10.0.100.2: icmp_seq=1 ttl=255 time=3.3 ms
64 bytes from 10.0.100.2: icmp_seq=2 ttl=255 time=3.2 ms
64 bytes from 10.0.100.2: icmp_seq=3 ttl=255 time=3.0 ms
64 bytes from 10.0.100.2: icmp_seq=4 ttl=255 time=3.1 ms
--- 10.0.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.7/3.0/3.3 ms
Cisco router costantly sends multicast messages to fortigate, but there is no reverse traffic:
# diagnose sniffer packet any 'host 10.0.100.2' 4
interfaces=[any]
filters=[host 10.0.100.2]
3.127230 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
13.038071 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
22.633617 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
31.731950 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
41.437651 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
I`m frustrated as Benoit_Rech_FTNT mentioned in this post https://forum.fortinet.com/tm.aspx?m=111570
that IKE Mode Configuration should be used. I can`t find ways to realise it on Cisco router.
Does anyone have any suggestions on it ?
I wouldn't do it like that. What I would do is specify the ospf-neighbors directly on the cisco and FGT but after I configured route-reach over the tunnel interfaces.
e.g
#cisco
config t
router ospf 10
neighbor 10.0.100.1
end
#FGT under router config ospf in FortiOS
config neighbor edit 1 set ip 10.0.100.2 set poll-interval 10 set cost 0 set priority 1 next end
PCNSE
NSE
StrongSwan
After adding static neighbours nothing changes.
On cisco router I`ve got notification after configuring neighbour:
% OSPF: Configured Nbr 10.0.100.1 is incompatible with OSPF network type on Tunnel0
How are your cisco network types configured as? Can you do a ospf packet capture ( maybe from the webGui [link]https://xxx.xxx.xxx.xxx/p/sniffer[/link] and wireshark/tshark it for ospf issues protocol 89 is what you want to trigger on.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.