Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AhmedT
New Contributor

Fortigate VPN with Stormshield VTI Virtual Tunneling Interface

Hello,

 

I'm trying to create a VTI VPN Tunnel between Stormshield and Fortigate.

 

My VPN is up but I can send other traffic than my trafic selectors.

 

I have attached a schema which explain the architecture and network traffic capture in forti's port1 and ipsec vpn tunnel.

 

I see echo request and echo reply in tunnel but the echo reply don't appear in outgoing ESP traffic

 

Thank you for your help !

 

AhmedT

7 REPLIES 7
AhmedT
New Contributor

VPN Capture

AhmedT
New Contributor

Port 1

Toshi_Esumi

If you run packet capture on a FGT specifying a tunnel interface, I think it captures packets before ESP encryption/after ESP decryption. If you want to capture ESP encrypted packets, you need to insert a switch with port mirroring and hook up a laptop to it to see packets between two FWs.

Based on the diagram, I think the problem is the unwanted destinations are reachable without the tunnel. Since this seems to be a test/lab environment, just make sure the unwanted destinations' routes don't exist including the default route to the other side. Then set routes only for the desired destinations INTO the tunnel on both ends.

AhmedT

Hi Toshi,

 

Thank you for your help !

 

I created static route, I have attached screenshot.

 

AhmedT

Toshi_Esumi

Then what did you mean by "I can send other traffic"? Nothing else other than the traffic destined to 10.83.1.0/24 shouldn't go out of the FGT.

ago_icaar
New Contributor

Hello AhmedT,

 

I'm trying to create a ipsec VPN tunnel on routing policy by using VTI between Fortigate and Stormshield.
Network side Stormshield is 172.28.100.0/24 
And Fortigate side is 172.19.0.0/16 and 172.20.0.0/16
SNS vti is 192.168.155.3
FG vti is 192.168.155.1
On Stormshield in phase 2, I put VTI ip address on local network and remote network.

Tunnel is up when phase 2 selector n Fortigate side:
proxyid=HQ-wan1 proto=0 sa=1 ref=3 serial=1 ads
src: 0:192.168.155.1-192.168.155.1:0
dst: 0:192.168.155.3-192.168.155.3:0

 

Fortigate drop packet because "No matching IPsec selector, drop"
I have implement BGP routing and it's work.

How did you set up your tunnels on Fortigate and Stormshield?

Thank you for your help

SylvainCASA
New Contributor

Hello,

I'm in the same case. Do you have Screen Configuration of your Fortigate and Stormshield and the BGP configuration ? I asked the Stormshield support and they said me "Sorry, currently VTI tunnels are only supported when both equipment in the tunnel are Stormshield." and i think they only just don't know how to do it...

Thanks you.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors