Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Fgt to ASA IPSec Tunnel Failing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fgt to ASA IPSec Tunnel Failing
Hello Group!
I am trying to get an ipsec tunnel up between an 80CM and an ASA.
We are using certificates.
We are using 5.2.4
Certificates were loaded manually through the cli as the gui doesn't like them.
However once entered in the cli they show up nicely to be viewed in the gui.
On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.
On the Fgt side we enabled: diagnose debug application ike -255
The results below repeat continuously;
ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done
As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.
This is the first time we have tried using certs on a Fgt.
Not quite sure what "peer certificate not received" alludes to.
Besides the gui issue we have also bumped into a problem with the Remote ID field.
Apparently it will only take 63 chars and below. Our Remote ID of the gate, even if spaces are stripped - is 79 chars.
So we're using "Any peer ID" for now. (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?
So not going as smoothly as hoped. Any suggestions gladly received!
Kevin
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it seems like you didn't receive a peer-cert, did they do any diagnostics on the cisco ASA? And validate peer certification in the cfg?
e.g
debug crypto isakmp
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have exactly the same issue,
the problem probably comes from the IKE fragmentation.
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't think you could run site2site vpns using a certificate from a ASA or the enrollement server. How did they ( cisco ) 1> craft a certificate for you 2> how did they download it?
Sure the fortigate can't uses SCEP like what's expected and only supported in the cisco ASA, unless I'm mistaken and something has changed in the last few years.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Before migrate to ikev2, we had a VPN IPSec Site to Site ikev1 (FGT 100D<--> Cisco ASA 5585) with certif function correctly.
The Certificats was issued fron a MS CA Server
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you export the cert for the fortigate from the MS CA? The cisco ASA only works with SCEP I heard you can manually execute some things but it's not as easy as 1 2 3.
So in the OP post, he needs to make sure the "proper" cert is enabled for the ike authentication and only certificate with no peer-id ( unless the cisco ASA is requiring a peer-id )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your update
I have exported the certif for ASA and FGT from MS CA with Base 64 encoded.
On the ASA side the certif is enabled for the ike authentication :
tunnel-group 10.7.3.28 ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate ASA.PCIDSS
BR
Network Admin
Network Admin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So "ASA.PCIDSS" is a certifcate defined on the ASA & the show crypto ca certificate shows the certificates?
e.g
crypto pki certificate chain ASA.PCIDSS
On the fortigate can you validate the certificate with the show full vpn certificate local cmd?
Alternatively you can review the cert in the webGUI and validate the cert is show and the serial#. Since your using ikev2 what does your phase1-interface config looks like on the fortigate?
And finally, did you run any debugs from the ciscoASA to see what it complains about if any?
do the following;
crypto ca enroll
crypto ca authenticate
show crypto ca certificates
and ensure debug is enabled.
debug cry pki messages
debug cry pki trans
Since you have other ASAs I'm betting the problems starts on the fortigate side configurations. You can debug and try to catch the 1st IKE packet from the fortigate send see what it shows as originator.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw post us a update once you get this to work. I have never been sucessful with certificates on ASA and other devices.
;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for update,
ASA.PCIDSS is the trustpoint : CA certificate + Signed Identity Certificate
ASA config:
-----------
crypto ca trustpoint PCIDSS.ASA enrollment terminal fqdn FWMutualisation1.domainName subject-name CN=FWMutualisation1.domainName, OU=XX, O=XX, C=XX, L=XXXX serial-number keypair ASA_PCIDSS crl configure crypto ca trustpool policy
crypto ca certificate chain PCIDSS.ASA
---------------------
I can review the cert in the webGUI and validate it. (status OK)
Config FortiGate phase1 and phase2:
config vpn ipsec phase1-interface edit "MON-SYSBD" set interface "Outside" set ike-version 2 set authmethod signature set proposal aes256-sha512 set dpd disable set dhgrp 2 set remote-gw X.X.X.X set certificate "VPN_PCI_DSS" next end config vpn ipsec phase2-interface edit "MON-SYSBD-2" set phase1name "MON-SYSBD" set proposal aes256-sha512 set dhgrp 5 set auto-negotiate enable set keylifeseconds 28800 set src-name "DMZ_ENTITES" set dst-name "DMZ-CENTRAUX" next end
--------------------------
Yes, I have debugs from the ciscoASA :
IKEv2-PLAT-3: (7483): SENT PKT [IKE_AUTH] [172.21.176.1]:500->[10.7.3.28]:500 InitSPI=0xc8dbf4ef45acf4e0 RespSPI=0xe74e994ac120cf35 MID=00000001 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK IKEv2-PROTO-5: (7483): Action: Action_Null IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE IKEv2-PROTO-5: (7483): Closing the PKI session IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE IKEv2-PROTO-2: (7483): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started IKEv2-PROTO-2: (7483): Session with IKE ID PAIR (e=agouzoza@eurafric-information.com,cn=10.7.3.28,ou=Security,l=XX Siege,c=XX, cn=FWMutualisation1.XXXXX,ou=XXXX,o=XXX,l=XXXX,c=XXXX) is UP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION IKEv2-PLAT-2: (7483): connection auth hdl set to 1204 IKEv2-PLAT-2: (7483): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PROTO-2: (7483): IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT IKEv2-PLAT-2: (7483): idle timeout set to: 30 IKEv2-PLAT-2: (7483): session timeout set to: 0 IKEv2-PLAT-2: (7483): group policy set to GroupePolicy_10.7.3.28 IKEv2-PLAT-2: (7483): class attr set IKEv2-PLAT-2: (7483): tunnel protocol set to: 0x40 IKEv2-PLAT-2: (7483): IPv4 filter ID not configured for connection IKEv2-PLAT-2: (7483): group lock set to: none IKEv2-PLAT-2: (7483): IPv6 filter ID not configured for connection IKEv2-PLAT-2: (7483): connection attribues set valid to TRUE IKEv2-PLAT-2: (7483): Successfully retrieved conn attrs IKEv2-PLAT-2: (7483): Session registration after conn attr retrieval PASSED, No error IKEv2-PROTO-2: (7483): Initializing DPD, configured for 10 seconds IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC IKEv2-PROTO-2: (7483): Load IPSEC key material IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE IKEv2-PROTO-2: (7483): Checking for duplicate IKEv2 SA IKEv2-PROTO-2: (7483): No duplicate IKEv2 SA found IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK IKEv2-PROTO-2: (7483): Starting timer (8 sec) to delete negotiation context IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT
------------------
I can't see any error message on this debug
BR
Network Admin
Network Admin
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,729 -
FortiClient
1,771 -
5.2
801 -
FortiManager
734 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
247 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
FortiGate-VM
17 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1721 | |
| 1098 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.