Good morning, I've been doing some searching and have been unable to find any threads that have resulted in a resolution for my particular issue. I am essentially setting up an ipsec tunnel between my FortiGate 60D (6.0.9) and our ASA 5516 (9.12) for work. I've gone through the process of setting up our tunnel using the fortigate tunnel wizard. Through my troubleshooting, I've successfully gotten the tunnel to come up, but am only able to do so as long as I only specify one object or subnet in the phase 2 destination. If I add another remote object or subnet to a particular address group, I get varied results.
For example, tunnel comes up with a remote address of 10.1.1.0/24, and I am able to hit that subnet. If I add an additional subnet to that address group, one of two things to happen. Either the entire tunnel drops, or the new subnet becomes reachable, and the original subnet becomes unreachable. In both instances, I show a phase 2 negotiation error in the VPN Events log. I did attempt to create a new phase 2 selector for each new destination subnet, but have yielded the same results. It appears I am only able to get one subnet functioning over the tunnel at a time. To note, I do have ipv4 policies (ACLs) in place to allow the named objects to talk back and forth over the tunnel, as well as static routes pointing the remote subnets over the tunnel interface. I'm unsure of what else to try at this point, or what I could be missing. Thanks in advance for any help! Below is a portion of the CLI output with certain pieces negated.
config vpn ipsec phase1-interface edit "IPSec" set interface "wan1" set ike-version 2 set peertype any set proposal aes256-sha1 set dhgrp 5 set nattraversal disable set remote-gw x.x.x.x set psksecret ENC ######## next end
config vpn ipsec phase2-interface edit "IPSec" set phase1name "IPSec" set proposal aes256-sha256 set dhgrp 5 set replay disable set auto-negotiate enable set src-addr-type name set dst-addr-type name set keylifeseconds 86400 set src-name "Work-Laptop-Wired" set dst-name "CNS-ASR9K-Network" next edit "ROADM" set phase1name "CNS-IPSec" set proposal aes256-sha256 set dhgrp 5 set auto-negotiate enable set src-addr-type name set dst-addr-type name set keylifeseconds 86400 set src-name "Work-Laptop-Wired" set dst-name "CNS-ROADM-Network"
config router static edit 1 set device "CNS-IPSec" set dstaddr "CNS-IPSec_remote_subnet_1" next edit 3 set device "CNS-IPSec" set dstaddr "CNS-ASR920-Network" next edit 4 set device "CNS-IPSec" set dstaddr "CNS-ROADM-Network" next edit 5 set device "CNS-IPSec" set dstaddr "CNS-ASR9K-Network"
Defined each 2nd subnet in a second phase2. Reference the same phase1 name in your cfg dump the phase1 name is different here.
Ken Felix
PCNSE
NSE
StrongSwan
Ah, sorry, the phase1 name is actually the same, that was just a bad copy/paste job on my part. And yes, the second subnet in the second phase2 interface is defined.
edit "Work-Laptop-Wired_192.168.128.50" set uuid d3c782f2-89bf-51ea-5961-aab2b5eb0230 set allow-routing enable set subnet 192.168.128.50 255.255.255.255 next
edit "CNS-ASR9K-Network_10.48.1.0/24" set uuid d3d352b2-89bf-51ea-efa7-325f81d7d401 set allow-routing enable set subnet 10.48.1.0 255.255.255.0 next
edit "CNS-ROADM-Network_10.68.1.0/24" set uuid 374b3cb4-8b10-51ea-f36e-bc04dad19a2f set subnet 10.68.1.0 255.255.255.0 next
I ended up finding my issue on the ASA side of the house. I didn't have the PFS DH group specified for Phase 2, so the ASA was essentially trying to negotiate with a new DH group for each additional phase 2 subnet coming from the Fortigate. Statically setting the pfs dh group on the ASA to match what was set on the Fortigate for Phase 2 corrected the issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1109 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.