Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rphaneuf
New Contributor

Created on ‎06-11-2010 12:26 PM

Fortigate 80C -> Cisco ASA 5520 VPN settings?

Howdy guys, I' m trying to get the first of 3 VPNs up and running with a a client, and I' m fairly new to the Fortigate firewalls. I' ve read through the .pdf documentation for the 4.0-MR1 IPSEC VPN and I' ve gotten 2 interface mode IPSEC VPNs up and running. The first was to a Checkpoint firewall and the other is a dial-up type. I' ve also found the post on the forums for VPN IPSEC - 80CM and Cisco Asa and followed the referenced post inside to an article on FortiGate to Cisco PIX VPN I' ve got a 80C running 4.0 MR1-p4 (yes I need to update, but I just got the box) I do have a static public IP address on Wan1: 65.182.241.92. My LAN is all 10.0.0.0/24 IP addressed, which may or may not change things. The client GW: 170.138.39.78 The client network: 170.138.33.0/24 (Specific box is .129) But here are the settings I just tried after attempting to make a policy based IPSEC VPN: Phase 1: Name: EM_Mem_Test Remote GW: Static IP IP Address: 170.138.39.78 Local interface: Wan1 Mode: Main Auth. method: PSK Peer options: Any peer ID Interface mode: Disabled Encrypt: 3DES auth: SHA1 DH Group: 2 keylife: 28800 NATT: Enabled DPD: Disabled Phase 2: Name: EM_Mem_Test_Ph2 enc: 3DES auth: SHA1 Replay detection: Disabled PFS; Disabled DH Group: 5 keylife 28800 Autokey Keep Alive: Enabled quickmode: source: 10.0.0.0/24 destin.: 170.138.33.0/24 I added a firewall policy per the Fortigate -> Cisco article referenced above. Here' s what happened in the CLI when I tried to bring up the tunnel:
FGT80C3909641787 # diag debug ena FGT80C3909641787 # diag debug cons ti ena FGT80C3909641787 # diag debug app ike -1 FGT80C3909641787 # 2010-06-11 12:11:26 ike 0:EM_Mem_Test:Em_Mem_Test_Ph2: IPsec SA connect 4 65.182.241.92->170.138.39.78:500, natt_mode=0 2010-06-11 12:11:26 ike 0:EM_Mem_Test: found phase2 Em_Mem_Test_Ph2 2010-06-11 12:11:26 ike 0:EM_Mem_Test: created connection: 0x90d53b0 4 65.182.241.92->170.138.39.78:500. 2010-06-11 12:11:26 ike 0:EM_Mem_Test: new connection. 2010-06-11 12:11:26 ike 0:EM_Mem_Test: IPsec SA connect 4 65.182.241.92->170.138.39.78:500 negotiating 2010-06-11 12:11:26 ike 0:EM_Mem_Test: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: initiator: main mode is sending 1st message... 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: cookie 0e536b925523ce5d/0000000000000000 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: sent IKE msg (ident_i1send): 65.182.241.92:500->170.138.39.78:500, len=220 2010-06-11 12:11:26 ike 0: comes 170.138.39.78:500->65.182.241.92:500,ifindex=4.... 2010-06-11 12:11:26 ike 0: IKEv1 exchange=Identity Protection id=0e536b925523ce5d/25f80de75d565166 len=104 2010-06-11 12:11:26 ike 0: found EM_Mem_Test 65.182.241.92 4 -> 170.138.39.78:500 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: initiator: main mode get 1st response... 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: negotiation result 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: proposal id = 1: 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: protocol id = ISAKMP: 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: trans_id = KEY_IKE. 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: encapsulation = IKE/none 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: type=OAKLEY_HASH_ALG, val=SHA. 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: type=AUTH_METHOD, val=PRESHARED_KEY. 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: type=OAKLEY_GROUP, val=1024. 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: ISKAMP SA lifetime=28800 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: sent IKE msg (ident_i2send): 65.182.241.92:500->170.138.39.78:500, len=180 2010-06-11 12:11:26 ike 0: comes 170.138.39.78:500->65.182.241.92:500,ifindex=4.... 2010-06-11 12:11:26 ike 0: IKEv1 exchange=Identity Protection id=0e536b925523ce5d/25f80de75d565166 len=256 2010-06-11 12:11:26 ike 0: found EM_Mem_Test 65.182.241.92 4 -> 170.138.39.78:500 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: initiator: main mode get 2nd response... 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID unknown (16): D03FAAFA5D5751661E2FC3B52381FC42 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID unknown (16): 1F07F70EAA6514D3B0FA96542A500100 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: add initial-contact 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: sent IKE msg (ident_i3send): 65.182.241.92:500->170.138.39.78:500, len=100 2010-06-11 12:11:26 ike 0: comes 170.138.39.78:500->65.182.241.92:500,ifindex=4.... 2010-06-11 12:11:26 ike 0: IKEv1 exchange=Identity Protection id=0e536b925523ce5d/25f80de75d565166 len=84 2010-06-11 12:11:26 ike 0: found EM_Mem_Test 65.182.241.92 4 -> 170.138.39.78:500 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: initiator: main mode get 3rd response... 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: VID DPD AFCAD71368A1F1C96B8696FC77570100 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: PSK authentication succeeded 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: authentication OK 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: established IKE SA 0e536b925523ce5d/25f80de75d565166 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: initiating pending Quick-Mode negotiations 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: cookie 0e536b925523ce5d/25f80de75d565166:25ef65a6 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161:Em_Mem_Test_Ph2:100038: initiator selectors 0 10.0.0.0/255.255.255.0:0->170.138.33.0/255.255.255.0:0 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: sent IKE msg (quick_i1send): 65.182.241.92:500->170.138.39.78:500, len=156 2010-06-11 12:11:26 ike 0: comes 170.138.39.78:500->65.182.241.92:500,ifindex=4.... 2010-06-11 12:11:26 ike 0: IKEv1 exchange=Informational id=0e536b925523ce5d/25f80de75d565166:392cf18a len=84 2010-06-11 12:11:26 ike 0: found EM_Mem_Test 65.182.241.92 4 -> 170.138.39.78:500 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: notify msg received: NO-PROPOSAL-CHOSEN 2010-06-11 12:11:26 ike 0: comes 170.138.39.78:500->65.182.241.92:500,ifindex=4.... 2010-06-11 12:11:26 ike 0: IKEv1 exchange=Informational id=0e536b925523ce5d/25f80de75d565166:afd6c8f5 len=84 2010-06-11 12:11:26 ike 0: found EM_Mem_Test 65.182.241.92 4 -> 170.138.39.78:500 2010-06-11 12:11:26 ike 0:EM_Mem_Test:336161: recv ISAKMP SA delete 0e536b925523ce5d/25f80de75d565166 2010-06-11 12:11:26 ike 0:EM_Mem_Test: deleting 2010-06-11 12:11:26 ike 0:EM_Mem_Test: flushing 2010-06-11 12:11:26 ike 0:EM_Mem_Test: flushed 2010-06-11 12:11:26 ike 0:EM_Mem_Test: deleted diag debug app ike 0
Any suggestions / comments? I sent the settings off to the customer, and I know we' re running the same Phase 1 & 2 values (other than the phase 2 source/destination addresses). -- Rich
3530
0 Kudos
8 REPLIES 8
severach
New Contributor

Created on ‎06-11-2010 02:53 PM

Your log shows nothing except that the Cisco refused the phase 2. The Cisco log will show the reason why. The log of the tunnel receiver is useful. The log of the tunnel initiator is not. Get the Cisco log read or have the Cisco initiate the tunnel.
2490
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-13-2010 05:09 AM

I notice in your Ph2 notes you have DH5 stated, but pfs is disabled not, sure as to what you meant here. On the ciscoASA, please post the config and or try to get diagnostic ranned on that unit e.g ( execute this on the remote ASA ) debug crypto isa 200 debug crypto ipsec 200 term mon I also ended up creating you a ASA configuration based on your configuration. Your remote side should be configured to something like the following. tunnel-group 65.182.241.92 type ipsec-l2l tunnel-group 65.182.241.92 ipsec-attributes pre-shared-key " insert your key here" ! ! ! ! ! ! ! access-list ext permit ip 170.138.33.0 255.255.255.0 10.0.0.0 255.255.255.0 ! crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac ! ! ! crypto map FGT-ASA01 170 match address " EM_Mem_Test" crypto map FGT-ASA01 170 set peer " address of fortunate" crypto map FGT-ASA01 170 set transform-set ESP-3DES-SHA crypto map FGT-ASA01 170 set security-association lifetime seconds 28800 ! isakmp nat-transversal ! ! crypto isakmp enable outside ! crypto map FGT-ASA01 interface outside ! crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 ! you might to enable a no-nat statement to prevent this traffic from being NAT Also on the ASA. access-list inside_nat0_outbound extended permit ip 170.138.33.0 255.255.255.0 10.0.0.0 255.255.255.0

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2489
0 Kudos
rphaneuf
New Contributor

Created on ‎06-14-2010 11:36 AM

Thanks for the help guys. I' ve got a conference call today with the client to see about finishing the VPN connection. Unfortunately for me, their network / firewall admins are in India, and I' m on the west coast, so trying to get both sides working at the same time is a bit of a challenge. As a side note, with the policy / tunnel based VPN, will I need to do any Virtual IP mapping like I do for say ... the world accessing the HTTP server behind my firewall? -- Rich
2490
0 Kudos
rphaneuf
New Contributor

Created on ‎06-14-2010 02:17 PM

Okay, I see how if I' m the originator with a policy based VPN, I' ve got to have the firewall rules set up to allow IPSEC as the action in the policy / rule. But, if I' m the one on the receiving end, I try and select " IPSEC" as action of an inbound policy, I don' t have the " EM_Mem_Test" VPN tunnel listed. I should need that correct? Or should I change over to Interface Mode on the VPN instead of Tunnel Mode? And any suggestions on the configuration for a Interface mode tunnel set-up? Oh, I' m still trying to get a time set aside with the firewall admin so we can try out the tunnel and see what' s going on. When I do, I' ll get the logs from both sides and post them. -- Rich
2490
0 Kudos
rwpatterson
Valued Contributor III
In response to rphaneuf

Created on ‎06-15-2010 05:46 AM

ORIGINAL: rphaneuf And any suggestions on the configuration for a Interface mode tunnel set-up? -- Rich
You will need to add static routes to the remote subnets when using interface mode.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2490
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-14-2010 02:56 PM

I would personally not do policy based. Actually never done it outside of a fortigate to another non-fgt. And pretty still today I don' t deploy policy based vpn on fortigates or netscreens. YMMV I would just build a interface VPN, apply the appropiate static route(s) and correct fw- policies. As long as you match the PH1 proposal and PH2 proxy-ids, and your PSK is correct, all should come up & work. Do, make sure you clarify any PFS requirement with the remore fw-admins & for the 2nd DH exchange for the individual SAs. I have a hunch that' s why your PH2 is not active.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2490
0 Kudos
rphaneuf
New Contributor

Created on ‎06-15-2010 10:21 AM

Okay, scanned their configuration below and enabled PFS with a Phase 2 DH Group of 2. Tunnel is up. I' ll have to double check my port routing and such, but I think the hard part is over now.
tunnel-group 65.182.241.92 type ipsec-l2l tunnel-group 65.182.241.92 ipsec-attributes pre-shared-key * crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 name 65.182.241.92 Regence_65.182.241.92 description Regence_65.182.241.92 access-list WAN_cryptomap_103 extended permit ip host 170.138.33.129 host Regence_65.182.241.92 crypto map WAN_map1 109 set peer Regence_65.182.241.92 crypto map WAN_map1 109 match address WAN_cryptomap_103 crypto map WAN_map1 109 set pfs crypto map WAN_map1 109 set peer Regence_65.182.241.92 crypto map WAN_map1 109 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map WAN_map1 109 set reverse-route
Thanks for the help guys!
2490
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-15-2010 03:42 PM

hmm That config still don' t match what you had earlier. I think you want this for the access-list access-list WAN_cryptomap_103 extended permit ip host 170.138.33.129 10.0.0.0 255.255.255.0 So what is the local and remote subnets? You can have the ASA guys conduct a packet-tracer if they are running 7.2 or higher ASA code. packet input inside icmp " insert the local host" " insert icmp type/core" " insert your remote host" e.g " packet input inside 170.138.33.129 0 8 10.0.0.1 detail " if it passed and forwards upon completion that would mean all is good. If it fails, then back to the drawing board you go.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2480
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.