Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danjacoyle
New Contributor

FortiGate to Sonicwall IPSec VPN

I have to set up a IPSec VPN between a VLAN on one site (192.168.200.0/24) and a Sonicwall on another site (10.3.0.0/24)

 

I have followed this article and the VPN will not come up, any ideas please?

 

http://kb.fortinet.com/kb...amp;documentID=FD33903

6 REPLIES 6
Adrian_Buckley_FTNT

debug the VPN communications to see what's going on

 

Use these CLI commands

#diag deb app ike 255 <sonicwall IP>

#diag deb en

 

Then attempt to bring up the tunnel from the Sonicwall side.  This will show the negotiation proposals that are being presented by the Sonic wall, and you can compare then to what is configured on the FortiGate to fine the discrepency.

FortiRack_Eric
New Contributor III

Actually the debug commands you have given are outdates (pre 4.x)

 

the right command is

dia deb en

dia vpn ike log-filter dst4 <ip-address)

dia deb app ike 255

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
emnoc
Esteemed Contributor III

Actually those commands are not outdate and the right syntax is ;

 

diag vpn ike log-filter  dst-addr4 1.1.1.1

 

I do agree tho,  you need to diag  the ike , but in the mean time can you  provide

 

 

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface

 

( you did do a interface mode vpn right ; ) ? )

 

 

On your dell sonicwall can you provide us the exact cfg that you deployed?

 

[size="3"][size="3"]show vpn sa ike[/size][/size]

show vpn policy

show vpn sa

 

You need to ensure the phase1 authen and PSK match and the exact proposals. I would limited or restrict multiple proposals.

for the phase2 proxy-ids they need to exactly match src/dst  and dst/src respectively on each device.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FortiRack_Eric
New Contributor III

Hi Emnoc, I believe we state the same thing:

 

dia deb app ike <ip address>  is really outdated. :)

 

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
pcraponi
Contributor II

On Sonicwall side, you need use site-to-site VPN instead "Tunnel Interface". The Fortinet KB are wrong about this.

 

I have a scenario with Fortigate 1000D and 70 Sonicwall TZ using IPSec VPN among them.

 

 

Regards,

Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
Rewanta_FTNT
Staff
Staff

hello,

 

kb talks about route based vpn beteen fgt and sonicwall. You have other options apart from route based vpn. 

You need to collect the following commands output to understand whats the issue.

 

-you can debug the ike (isakmp packets) from fgt diag debug rest diag debug console timestamp enable diag vpn ike log-filter dst-addr4 <sonicwall_public_IP> diag debug app ike -1 -vpn configuration. 

 

-to stop the debug

diag debug disable 

diag debug reste

 

thanks

rewanta

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors