Hello Group!
I am trying to get an ipsec tunnel up between an 80CM and an ASA.
We are using certificates.
We are using 5.2.4
Certificates were loaded manually through the cli as the gui doesn't like them.
However once entered in the cli they show up nicely to be viewed in the gui.
On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.
On the Fgt side we enabled: diagnose debug application ike -255
The results below repeat continuously;
ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done
As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.
This is the first time we have tried using certs on a Fgt.
Not quite sure what "peer certificate not received" alludes to.
Besides the gui issue we have also bumped into a problem with the Remote ID field.
Apparently it will only take 63 chars and below. Our Remote ID of the gate, even if spaces are stripped - is 79 chars.
So we're using "Any peer ID" for now. (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?
So not going as smoothly as hoped. Any suggestions gladly received!
Kevin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hmm
Under 5.2.4
set authmethod signature
I thought this used to be rsa-signatures? On the cisco ASA what does the show ca certificate command show you and for the certificate in question? ( PCIDSS.ASA )
And finally as a dumb question, date/time is correct on the fortigate and asa?
Ken
PCNSE
NSE
StrongSwan
Hi,
Thank you for your reply.
unfortunately I do not have the access for the moment but I souvien result :
show ca certificate:
Certificate
Status: Available
Certificate Serial Number: XXXXXX
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=XXXXXXXXXXXXXXXX
ou=XXXXXXXXXXXXXXXXXXXX
ou=XXXXXXXXXXXXXXXXX
o=XXXXXXXXXXX
c=XXXX
Subject Name:
cn=XXXX
o=XXXX
l=XXXXXX
c=XXXXXX
CRL Distribution Points:
[1] [link]http://crl.XXXXX[/link]
Associated Trustpoints: PCIDSS.ASA
Yes, i m sure the two Firewalls use the same NTP server.
Hi,
Enclosed a screenshoot of a Traffic capture on ASA side.
The capture shows the Ike_Auth exchange
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.