Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KWigle
New Contributor III

Fgt to ASA IPSec Tunnel Failing

Hello Group!

 

I am trying to get an ipsec tunnel up between an 80CM and an ASA.

We are using certificates.

We are using 5.2.4

 

Certificates were loaded manually through the cli as the gui doesn't like them.

However once entered in the cli they show up nicely to be viewed in the gui.

 

On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.

 

On the Fgt side we enabled: diagnose debug application ike -255

The results below repeat continuously;

 

ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done

 

As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.

This is the first time we have tried using certs on a Fgt.

Not quite sure what "peer certificate not received" alludes to.

 

Besides the gui issue we have also bumped into a problem with the Remote ID field.

Apparently it will only take 63 chars and below.  Our Remote ID of the gate, even if spaces are stripped - is 79 chars.

So we're using "Any peer ID" for now.  (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?

 

So not going as smoothly as hoped.  Any suggestions gladly received!

 

Kevin

13 REPLIES 13
emnoc
Esteemed Contributor III

So it seems like you didn't receive a peer-cert, did they do any diagnostics on the cisco ASA? And validate peer certification in the cfg?

 

e.g

debug crypto isakmp

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Abdessamad

Hi,

 

I have exactly the same issue, 

the problem probably comes from the IKE fragmentation.

 

BR

Network Admin
Network Admin
emnoc
Esteemed Contributor III

I didn't think you could run site2site vpns using a certificate from a ASA or the enrollement server. How did they ( cisco ) 1> craft a certificate for you 2> how did they download it?

 

Sure the fortigate can't uses SCEP like what's expected and only supported in  the cisco ASA, unless I'm mistaken and something  has changed in  the last  few years.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Abdessamad

Hi,

Before migrate to ikev2, we had a VPN IPSec Site to Site ikev1 (FGT 100D<--> Cisco ASA 5585) with certif function correctly.

The Certificats was issued fron a MS CA Server

BR

Network Admin
Network Admin
emnoc
Esteemed Contributor III

How did you export the cert for the fortigate from the MS CA? The  cisco ASA only works with SCEP I heard you can manually execute some things but it's not as easy as 1 2 3.

 

So in the OP post, he needs to make sure the "proper" cert is enabled for the ike authentication and only certificate with no peer-id ( unless  the cisco ASA is requiring a peer-id )

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Abdessamad

Hi,

Thank you for your update

I have exported the certif for ASA and FGT from MS CA with Base 64 encoded.

On the ASA side the certif is enabled for the ike authentication :

 

tunnel-group 10.7.3.28 ipsec-attributes    ikev2 remote-authentication certificate    ikev2 local-authentication certificate ASA.PCIDSS

 

BR

Network Admin
Network Admin
emnoc
Esteemed Contributor III

So "ASA.PCIDSS" is a certifcate defined on the ASA & the show crypto ca certificate shows the certificates?

 

e.g

 

crypto pki certificate  chain ASA.PCIDSS

 

On  the fortigate can you validate the certificate with the show full vpn certificate local cmd?

 

Alternatively you can review the cert in  the webGUI and validate the cert is show and the serial#. Since your using ikev2 what does your phase1-interface config looks like on the  fortigate?

 

And finally, did you run any debugs from the ciscoASA to see what it complains about if any?

 

do  the following;

 

crypto ca enroll

crypto ca authenticate

show crypto ca certificates

 

and ensure debug is enabled.

 

debug cry pki messages

debug cry pki trans

 

 Since you have other ASAs I'm betting the problems starts on the fortigate side configurations. You can debug and try to catch the 1st IKE packet from the fortigate send see what it shows as originator.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

btw post us a update once you get this to work. I have never been sucessful with certificates on ASA and other devices.

 

;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Abdessamad

Hi,

Thank you for update,

ASA.PCIDSS is the trustpoint : CA certificate + Signed Identity Certificate

 

ASA config:

-----------

crypto ca trustpoint PCIDSS.ASA enrollment terminal fqdn FWMutualisation1.domainName subject-name CN=FWMutualisation1.domainName, OU=XX, O=XX, C=XX, L=XXXX serial-number keypair ASA_PCIDSS crl configure crypto ca trustpool policy

crypto ca certificate chain PCIDSS.ASA

---------------------

 

I can review the cert in  the webGUI and validate it. (status OK)

 

Config FortiGate phase1 and phase2:

 

config vpn ipsec phase1-interface edit "MON-SYSBD" set interface "Outside" set ike-version 2 set authmethod signature set proposal aes256-sha512 set dpd disable set dhgrp 2 set remote-gw X.X.X.X set certificate "VPN_PCI_DSS" next end config vpn ipsec phase2-interface edit "MON-SYSBD-2" set phase1name "MON-SYSBD" set proposal aes256-sha512 set dhgrp 5 set auto-negotiate enable set keylifeseconds 28800 set src-name "DMZ_ENTITES" set dst-name "DMZ-CENTRAUX" next end

--------------------------

 

Yes, I have debugs from the ciscoASA :

 

IKEv2-PLAT-3: (7483): SENT PKT [IKE_AUTH] [172.21.176.1]:500->[10.7.3.28]:500 InitSPI=0xc8dbf4ef45acf4e0 RespSPI=0xe74e994ac120cf35 MID=00000001 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK IKEv2-PROTO-5: (7483): Action: Action_Null IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE IKEv2-PROTO-5: (7483): Closing the PKI session IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE IKEv2-PROTO-2: (7483): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started IKEv2-PROTO-2: (7483): Session with IKE ID PAIR (e=agouzoza@eurafric-information.com,cn=10.7.3.28,ou=Security,l=XX Siege,c=XX, cn=FWMutualisation1.XXXXX,ou=XXXX,o=XXX,l=XXXX,c=XXXX) is UP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION IKEv2-PLAT-2: (7483): connection auth hdl set to 1204 IKEv2-PLAT-2: (7483): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PROTO-2: (7483):  IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT IKEv2-PLAT-2: (7483): idle timeout set to: 30  IKEv2-PLAT-2: (7483): session timeout set to: 0  IKEv2-PLAT-2: (7483): group policy set to GroupePolicy_10.7.3.28 IKEv2-PLAT-2: (7483): class attr set IKEv2-PLAT-2: (7483): tunnel protocol set to: 0x40 IKEv2-PLAT-2: (7483): IPv4 filter ID not configured for connection IKEv2-PLAT-2: (7483): group lock set to: none IKEv2-PLAT-2: (7483): IPv6 filter ID not configured for connection IKEv2-PLAT-2: (7483): connection attribues set valid to TRUE IKEv2-PLAT-2: (7483): Successfully retrieved conn attrs IKEv2-PLAT-2: (7483): Session registration after conn attr retrieval PASSED, No error IKEv2-PROTO-2: (7483): Initializing DPD, configured for 10 seconds IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC IKEv2-PROTO-2: (7483): Load IPSEC key material IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE IKEv2-PROTO-2: (7483): Checking for duplicate IKEv2 SA IKEv2-PROTO-2: (7483): No duplicate IKEv2 SA found IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK IKEv2-PROTO-2: (7483): Starting timer (8 sec) to delete negotiation context IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT

 

------------------

 

I can't see any error message on this debug

 

BR

Network Admin
Network Admin
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors