- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Dialup user aggressive mode IPsec between FortiGat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dialup user aggressive mode IPsec between FortiGate and Cisco router
Dear colleagues,
Do someone have working solution for the topology like this: multiple Cisco routers(dynamic WAN IP) -> IPsec tunnel(aggressive mode) -> FortiGate(static WAN IP, Dialup user IPsec VPN gateway aggressive mode) ?
I`ve tried some combinations of configuration on Cisco router but find only one working solution with Dialup user main mode IPsec.
Labels:
- Labels:
-
5.2
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I`ve found the solution finally. But now I`m facing a new issue: OSPF doesn`t bring up.
I am using Dial Up user IPsec VPN with aggressive mode. Also I have cofigured static addresses for tunnel interfaces on FortiGate and on Cisco router. This config is for test environment. Aggressive mode + Dialup user is customers requirements so I can`t stand back from it.
Configuratons are following:
=================================Cisco========================== ! crypto keyring KEYR1 pre-shared-key address 192.168.70.201 key aq1sw2de3 ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp profile ISAKMP_PROF keyring KEYR1 self-identity user-fqdn hub-cisco match identity address 192.168.70.201 255.255.255.0 initiate mode aggressive ! ! crypto ipsec transform-set TEST-SET esp-3des esp-md5-hmac mode tunnel ! ! crypto ipsec profile TEST-PROFILE set transform-set TEST-SET set pfs group2 set isakmp-profile ISAKMP_PROF ! interface Tunnel0 ip address 10.0.100.2 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 192.168.70.201 tunnel protection ipsec profile TEST-PROFILE end ! interface GigabitEthernet1 ip address 192.168.70.216 255.255.255.0 negotiation auto ! ! router ospf 10 router-id 10.0.201.3 passive-interface GigabitEthernet2 network 10.0.100.0 0.0.0.3 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.70.1 !
======================FG================================ config vpn ipsec phase1-interface edit "agg-to-ISR" set type dynamic set interface "port10" set nattraversal disable set mode aggressive set peertype one set proposal 3des-md5 set add-route disable set dpd disable set dhgrp 2 set peerid "hub-cisco" set psksecret ENC *** next config vpn ipsec phase2-interface edit "agg-to-ISR" set phase1name "agg-to-ISR" set proposal 3des-md5 set dhgrp 2 next end config system interface edit "port10" set vdom "root" set ip 192.168.70.201 255.255.255.0 set allowaccess ping https ssh fgfm capwap set type physical set alias "wan1-LOCAL-DHCP" set device-identification enable set snmp-index 10 next edit "agg-to-ISR" set vdom "root" set ip 10.0.100.1 255.255.255.255 set allowaccess ping https ssh set l2forward enable set type tunnel set remote-ip 10.0.100.2 set snmp-index 14 set interface "port10" next config firewall policy edit 10 set srcintf "agg-to-ISR" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 15 set srcintf "any" set dstintf "agg-to-ISR" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next config router ospf set default-information-originate enable set router-id 10.0.201.1 config area edit 0.0.0.0 next end config ospf-interface edit "agg-to-ISR" set interface "agg-to-ISR" set mtu-ignore enable set network-type point-to-point next end config network edit 3 set prefix 10.0.100.0 255.255.255.252 next edit 6 set prefix 172.16.0.0 255.255.255.0 #using it for another router next end config redistribute "connected" set status enable end config redistribute "static" set status enable end config redistribute "rip" end config redistribute "bgp" end config redistribute "isis" end end
There is following output for OSPF debug on fortigate:
# get router info ospf interface
agg-to-ISR is down, line protocol is down
Internet Address 10.0.100.1/32, Area 0.0.0.0, MTU 1500
Process ID 0, Router ID 10.0.201.1, Network Type POINTOPOINT, Cost: 0
Transmit Delay is 1 sec, State Down
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
# exec ping 10.0.100.2
PING 10.0.100.2 (10.0.100.2): 56 data bytes
64 bytes from 10.0.100.2: icmp_seq=0 ttl=255 time=2.7 ms
64 bytes from 10.0.100.2: icmp_seq=1 ttl=255 time=3.3 ms
64 bytes from 10.0.100.2: icmp_seq=2 ttl=255 time=3.2 ms
64 bytes from 10.0.100.2: icmp_seq=3 ttl=255 time=3.0 ms
64 bytes from 10.0.100.2: icmp_seq=4 ttl=255 time=3.1 ms
--- 10.0.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.7/3.0/3.3 ms
Cisco router costantly sends multicast messages to fortigate, but there is no reverse traffic:
# diagnose sniffer packet any 'host 10.0.100.2' 4
interfaces=[any]
filters=[host 10.0.100.2]
3.127230 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
13.038071 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
22.633617 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
31.731950 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
41.437651 agg-to-ISR_0 in 10.0.100.2 -> 224.0.0.5: ip-proto-89 56
I`m frustrated as Benoit_Rech_FTNT mentioned in this post https://forum.fortinet.com/tm.aspx?m=111570
that IKE Mode Configuration should be used. I can`t find ways to realise it on Cisco router.
Does anyone have any suggestions on it ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't do it like that. What I would do is specify the ospf-neighbors directly on the cisco and FGT but after I configured route-reach over the tunnel interfaces.
e.g
#cisco
config t
router ospf 10
neighbor 10.0.100.1
end
#FGT under router config ospf in FortiOS
config neighbor edit 1 set ip 10.0.100.2 set poll-interval 10 set cost 0 set priority 1 next end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After adding static neighbours nothing changes.
On cisco router I`ve got notification after configuring neighbour:
% OSPF: Configured Nbr 10.0.100.1 is incompatible with OSPF network type on Tunnel0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are your cisco network types configured as? Can you do a ospf packet capture ( maybe from the webGui [link]https://xxx.xxx.xxx.xxx/p/sniffer[/link] and wireshark/tshark it for ospf issues protocol 89 is what you want to trigger on.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- FortiGate Config Local Snapshots 68 Views
- Fortigate 90D v6.0.9 no filter enabled... 104 Views
- How how can I limit the... 198 Views
- Native VLAN keeps changing from 254... 76 Views
- Swapping Firewalls VPN Setup Command Line 100 Views
Labels
-
FortiGate
6,678 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.