Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KWigle
New Contributor III

Fgt to ASA IPSec Tunnel Failing

Hello Group!

 

I am trying to get an ipsec tunnel up between an 80CM and an ASA.

We are using certificates.

We are using 5.2.4

 

Certificates were loaded manually through the cli as the gui doesn't like them.

However once entered in the cli they show up nicely to be viewed in the gui.

 

On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.

 

On the Fgt side we enabled: diagnose debug application ike -255

The results below repeat continuously;

 

ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done

 

As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.

This is the first time we have tried using certs on a Fgt.

Not quite sure what "peer certificate not received" alludes to.

 

Besides the gui issue we have also bumped into a problem with the Remote ID field.

Apparently it will only take 63 chars and below.  Our Remote ID of the gate, even if spaces are stripped - is 79 chars.

So we're using "Any peer ID" for now.  (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?

 

So not going as smoothly as hoped.  Any suggestions gladly received!

 

Kevin

13 REPLIES 13
emnoc
Esteemed Contributor III

hmm

 

Under 5.2.4

 

set authmethod signature

 

I thought this used to be rsa-signatures? On the  cisco ASA what does the show ca certificate command show you and for the certificate in question? ( PCIDSS.ASA )

 

And finally as a dumb question, date/time is correct on the fortigate and asa?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Abdessamad

Hi,

Thank you for your reply.

unfortunately I do not have the access for the moment but I souvien result :

show ca certificate:

Certificate

  Status: Available

  Certificate Serial Number: XXXXXX

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Issuer Name:

    cn=XXXXXXXXXXXXXXXX

    ou=XXXXXXXXXXXXXXXXXXXX

    ou=XXXXXXXXXXXXXXXXX

    o=XXXXXXXXXXX

    c=XXXX

  Subject Name:

    cn=XXXX

    o=XXXX

    l=XXXXXX

    c=XXXXXX

  

  CRL Distribution Points:

    [1]  [link]http://crl.XXXXX[/link]

  Associated Trustpoints: PCIDSS.ASA

 

Yes, i m sure the two Firewalls use the same NTP server.

 

 

 

Network Admin
Network Admin
Abdessamad

Hi,

 

Enclosed a screenshoot of a Traffic capture on ASA side.

The capture shows the Ike_Auth exchange

 

Network Admin
Network Admin
Abdessamad

Network Admin
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors