Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
howardsinc
New Contributor

Fortigate to Fortigate IPsec site to site VPN - Wont form with DH 19-21 Elliptic curve

Hello every one. I believe i found a bug. so setting up a site to site IPSEC VPN between 100D 5.2.1 and 60D 5.2.0.

When I tried using the below DH groups for the phase1 the devices kept giving me some weird errors..

 

DH Group 19: 256-bit random ECP Group DH Group 20: 384-bit random ECP Group DH Group 21: 521-bit random ECP Group

 

When I take the DH group down to DH18 its works right away.

 

Has anyone else ran across this? From what i've been reading ECC is going to be the wave of the future.

 

Regards,

 

Daniel

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
2 REPLIES 2
emnoc
Esteemed Contributor III

You might need to try with the newiest FortiOS version. I have seen the exact same thing with  dhgrp-20 and Fortigate to PaloAlto. Can you upgrade to 5.2.3 or 5.2.4 for both devices and give it a try?

 

FWIW Also seen the same things with other   firewall appliance and dhgrp 24.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
howardsinc
New Contributor

I just upgraded both Fortigates to 5.2.4 and it fixed the issue.

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Labels
Top Kudoed Authors