Hello,
I'm trying to create a VTI VPN Tunnel between Stormshield and Fortigate.
My VPN is up but I can send other traffic than my trafic selectors.
I have attached a schema which explain the architecture and network traffic capture in forti's port1 and ipsec vpn tunnel.
I see echo request and echo reply in tunnel but the echo reply don't appear in outgoing ESP traffic
Thank you for your help !
AhmedT
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you run packet capture on a FGT specifying a tunnel interface, I think it captures packets before ESP encryption/after ESP decryption. If you want to capture ESP encrypted packets, you need to insert a switch with port mirroring and hook up a laptop to it to see packets between two FWs.
Based on the diagram, I think the problem is the unwanted destinations are reachable without the tunnel. Since this seems to be a test/lab environment, just make sure the unwanted destinations' routes don't exist including the default route to the other side. Then set routes only for the desired destinations INTO the tunnel on both ends.
Then what did you mean by "I can send other traffic"? Nothing else other than the traffic destined to 10.83.1.0/24 shouldn't go out of the FGT.
Hello AhmedT,
I'm trying to create a ipsec VPN tunnel on routing policy by using VTI between Fortigate and Stormshield.
Network side Stormshield is 172.28.100.0/24
And Fortigate side is 172.19.0.0/16 and 172.20.0.0/16
SNS vti is 192.168.155.3
FG vti is 192.168.155.1
On Stormshield in phase 2, I put VTI ip address on local network and remote network.
Tunnel is up when phase 2 selector n Fortigate side:
proxyid=HQ-wan1 proto=0 sa=1 ref=3 serial=1 ads
src: 0:192.168.155.1-192.168.155.1:0
dst: 0:192.168.155.3-192.168.155.3:0
Fortigate drop packet because "No matching IPsec selector, drop"
I have implement BGP routing and it's work.
How did you set up your tunnels on Fortigate and Stormshield?
Thank you for your help
Hello,
I'm in the same case. Do you have Screen Configuration of your Fortigate and Stormshield and the BGP configuration ? I asked the Stormshield support and they said me "Sorry, currently VTI tunnels are only supported when both equipment in the tunnel are Stormshield." and i think they only just don't know how to do it...
Thanks you.
I asked them and it's because there is no compatibility with VTI interfaces to others products.
I replaced all my distant Stormshield Firewall with maintenance near to expire with Fortigate 40F. More efficient and works like a charm. Sorry for them but there are taking too much time to solve this kind of problem. Also, new model like SNS 220/320 have also the problem it's software problem and slow development.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.