Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New_Member
New Contributor

Draytek Vigor & Fortigate - VPN IPSec site to site

Dear all,

 

I'm stuck config VPN site to site between fortigate 300c and Draytek 2950.

In Draytek:

Dial out IPSec Tunnel IKE phase 1 : 3DES_MD5_G5 IKE phase 2:  3DES_MD5 Main ID protection

in Fortigate:

Phase 1:  Main ID Protection 3DES_MD5 DH Group 2,5 Keylife 28800 Phase 2: 3DES_MD5 DH Group 5 Keylife 3600

adready setup policy accept IPSEC

I can not bring this tunnel up.

Please help!

Thanks

 

 

 

9 REPLIES 9
ede_pfau
Esteemed Contributor III

ike 0:vpn:61: remote address 115.78.161.0 does not match configuration address 115.78.166.114, drop
You should check that first.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
New_Member

Dear Ede

i also check again config on the both devices .

No problem for the configuration.

any advice on this!

Many thanks!!!

ede_pfau
Esteemed Contributor III

Come on, you've got to provide more info than this! Do you really expect to come anything out of this with only breadcrumbs? Jeez.

 

Who is 115.78.116.0, who is 115.78.166.114, what are the 2 public IP addresses exactly (one DT, one FGT)? Screen shots of the DT config page? Config of the FGT (as text), phase1 will do for now.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

We have some one here at our office doing the same  Vigor to  FGT. They have a document of how it should be configured which is simple.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
New_Member

Dear Emmoc

 

Could you share that document for my reference!

Many thanks

emnoc
Esteemed Contributor III

PCNSE NSE StrongSwan
New_Member

Dear Emmoc,

 

Thanks for your help!

I already refered this document before and followed step by step.

But still can not bring tunnel up with Error "remote address x.x.x.x does not match configuration address A.B.C.D, drop

Thanks

emnoc
Esteemed Contributor III

Do you have phase1 & 2 proposal matching?

 

Do you have have local/remote  subnets ( src/dst for our fortigate ) matching? I will probably get stuck with this tomorrow with our UK office and will post a outcome of what I do.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
New_Member

Dear Emnoc,

 

Thanks for your effort support!

I just find out the problem!A VIP is configured on either of the firewall for this external IP.

Just remove the VIP ,It's Ok now.

Regards

Vinh

Labels
Top Kudoed Authors