- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fgt to ASA IPSec Tunnel Failing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fgt to ASA IPSec Tunnel Failing
Hello Group!
I am trying to get an ipsec tunnel up between an 80CM and an ASA.
We are using certificates.
We are using 5.2.4
Certificates were loaded manually through the cli as the gui doesn't like them.
However once entered in the cli they show up nicely to be viewed in the gui.
On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.
On the Fgt side we enabled: diagnose debug application ike -255
The results below repeat continuously;
ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done
As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.
This is the first time we have tried using certs on a Fgt.
Not quite sure what "peer certificate not received" alludes to.
Besides the gui issue we have also bumped into a problem with the Remote ID field.
Apparently it will only take 63 chars and below. Our Remote ID of the gate, even if spaces are stripped - is 79 chars.
So we're using "Any peer ID" for now. (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?
So not going as smoothly as hoped. Any suggestions gladly received!
Kevin
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it seems like you didn't receive a peer-cert, did they do any diagnostics on the cisco ASA? And validate peer certification in the cfg?
e.g
debug crypto isakmp
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have exactly the same issue,
the problem probably comes from the IKE fragmentation.
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't think you could run site2site vpns using a certificate from a ASA or the enrollement server. How did they ( cisco ) 1> craft a certificate for you 2> how did they download it?
Sure the fortigate can't uses SCEP like what's expected and only supported in the cisco ASA, unless I'm mistaken and something has changed in the last few years.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Before migrate to ikev2, we had a VPN IPSec Site to Site ikev1 (FGT 100D<--> Cisco ASA 5585) with certif function correctly.
The Certificats was issued fron a MS CA Server
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you export the cert for the fortigate from the MS CA? The cisco ASA only works with SCEP I heard you can manually execute some things but it's not as easy as 1 2 3.
So in the OP post, he needs to make sure the "proper" cert is enabled for the ike authentication and only certificate with no peer-id ( unless the cisco ASA is requiring a peer-id )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your update
I have exported the certif for ASA and FGT from MS CA with Base 64 encoded.
On the ASA side the certif is enabled for the ike authentication :
tunnel-group 10.7.3.28 ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate ASA.PCIDSS
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So "ASA.PCIDSS" is a certifcate defined on the ASA & the show crypto ca certificate shows the certificates?
e.g
crypto pki certificate chain ASA.PCIDSS
On the fortigate can you validate the certificate with the show full vpn certificate local cmd?
Alternatively you can review the cert in the webGUI and validate the cert is show and the serial#. Since your using ikev2 what does your phase1-interface config looks like on the fortigate?
And finally, did you run any debugs from the ciscoASA to see what it complains about if any?
do the following;
crypto ca enroll
crypto ca authenticate
show crypto ca certificates
and ensure debug is enabled.
debug cry pki messages
debug cry pki trans
Since you have other ASAs I'm betting the problems starts on the fortigate side configurations. You can debug and try to catch the 1st IKE packet from the fortigate send see what it shows as originator.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw post us a update once you get this to work. I have never been sucessful with certificates on ASA and other devices.
;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for update,
ASA.PCIDSS is the trustpoint : CA certificate + Signed Identity Certificate
ASA config:
-----------
crypto ca trustpoint PCIDSS.ASA enrollment terminal fqdn FWMutualisation1.domainName subject-name CN=FWMutualisation1.domainName, OU=XX, O=XX, C=XX, L=XXXX serial-number keypair ASA_PCIDSS crl configure crypto ca trustpool policy
crypto ca certificate chain PCIDSS.ASA
---------------------
I can review the cert in the webGUI and validate it. (status OK)
Config FortiGate phase1 and phase2:
config vpn ipsec phase1-interface edit "MON-SYSBD" set interface "Outside" set ike-version 2 set authmethod signature set proposal aes256-sha512 set dpd disable set dhgrp 2 set remote-gw X.X.X.X set certificate "VPN_PCI_DSS" next end config vpn ipsec phase2-interface edit "MON-SYSBD-2" set phase1name "MON-SYSBD" set proposal aes256-sha512 set dhgrp 5 set auto-negotiate enable set keylifeseconds 28800 set src-name "DMZ_ENTITES" set dst-name "DMZ-CENTRAUX" next end
--------------------------
Yes, I have debugs from the ciscoASA :
IKEv2-PLAT-3: (7483): SENT PKT [IKE_AUTH] [172.21.176.1]:500->[10.7.3.28]:500 InitSPI=0xc8dbf4ef45acf4e0 RespSPI=0xe74e994ac120cf35 MID=00000001 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK IKEv2-PROTO-5: (7483): Action: Action_Null IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE IKEv2-PROTO-5: (7483): Closing the PKI session IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE IKEv2-PROTO-2: (7483): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started IKEv2-PROTO-2: (7483): Session with IKE ID PAIR (e=agouzoza@eurafric-information.com,cn=10.7.3.28,ou=Security,l=XX Siege,c=XX, cn=FWMutualisation1.XXXXX,ou=XXXX,o=XXX,l=XXXX,c=XXXX) is UP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION IKEv2-PLAT-2: (7483): connection auth hdl set to 1204 IKEv2-PLAT-2: (7483): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PROTO-2: (7483): IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT IKEv2-PLAT-2: (7483): idle timeout set to: 30 IKEv2-PLAT-2: (7483): session timeout set to: 0 IKEv2-PLAT-2: (7483): group policy set to GroupePolicy_10.7.3.28 IKEv2-PLAT-2: (7483): class attr set IKEv2-PLAT-2: (7483): tunnel protocol set to: 0x40 IKEv2-PLAT-2: (7483): IPv4 filter ID not configured for connection IKEv2-PLAT-2: (7483): group lock set to: none IKEv2-PLAT-2: (7483): IPv6 filter ID not configured for connection IKEv2-PLAT-2: (7483): connection attribues set valid to TRUE IKEv2-PLAT-2: (7483): Successfully retrieved conn attrs IKEv2-PLAT-2: (7483): Session registration after conn attr retrieval PASSED, No error IKEv2-PROTO-2: (7483): Initializing DPD, configured for 10 seconds IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC IKEv2-PROTO-2: (7483): Load IPSEC key material IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE IKEv2-PROTO-2: (7483): Checking for duplicate IKEv2 SA IKEv2-PROTO-2: (7483): No duplicate IKEv2 SA found IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK IKEv2-PROTO-2: (7483): Starting timer (8 sec) to delete negotiation context IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT
------------------
I can't see any error message on this debug
BR
Network Admin
Network Admin
Related Posts
Labels
-
FortiGate
6,487 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.