I have a configuration done to a VPN ip sec between a cisco asa 10.0.100.110 anda a fortinet 10.0.100.114 in a network 10.0.100.109/29
the information i receive is:
Encryption Scheme IKE v1 Authentication Method Pre-shared key: A enviar out-of-band (telefone, SMS, IM) Diffie-Hellman Group Group 2 Encryption Algorithm AES-256 Hashing Algorithm SHA-1 Main or Aggressive Mode Main Mode IKE Lifetime (for renegotiation) 1440 minutes (86400 seconds) NAT Traversal Enabled Keepalive Interval: 10 seconds / Retry interval: 2 seconds Encapsulation Mode tunnel Encryption Algorithm ESP AES-256 Authentication Algorithm SHA-1 Perfect Forward Secrecy Group 2 IPSEC Lifetime (for renegotiation) 480 minutes (28800 seconds) Lifesize in KB (for renegotiation) Unlimited
I already done that configutarion and a i can not reach a public ip linked to the private ip of them the services i need to reach by the public ip 197.500.86.15 is Tcp:80 and 4001
can someone say-me how can i by the fortigate permite this configuration is something missing in this information?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I assume Phase2 selctors are 0/0<->0/0 on both sides and the tunnel is up. Then make sure you have a route into the tunnel for the public IP you need to reach to at the FGT. From there you need to sniff packets if they're going into the tunnel. If they do, the problem is on the ASA side.
how can i see if the route is ok, and how can i sniff the packets?
"get router info routing-t details 197.500.86.15" would show you the route it follows.
"diag sniffer packet VPN_INTERFACE 'host 197.500.86.15'" would show you the packets. But you have to disable ASIC offloading at the policies to see them in sniffing ("set auto-asic-offload disable").
I already do the command and the information is "Network not in table" there is something that i need to do to put the public ip on the network
yes i can ping the public ip
i would like to get first the best way to create the IPSEC VPN
MY SCENARIO IS i have a tunnel network range with 3 ips eg: 10.1.100.152/29 with 10.1.100.153 my network, 10.1.100.158 the asa network.
I want to get a service: http, https, 5400,5401 of the public ip of the 194.234.117.147.
i create a ipsec tunnel and my remote gateway is 10.1.100.158 i do the phase 2 with a local address ip 10.1.100.153 and the remote ip 194.234.117.147.
then i create a policy to get in to the public ip with the port:80
i have a static route with the gateway 10.1.100.158 and a destination is 194.234.117.147.
i can not get the service http .
so my question is whact is the correct way to do this job?
i can not bring up the vpn.
I already done This but i can not bring up the tunnel he still down
i try it, but it persist to show too many vpn i have 8.
you have a command that i can see only the debug of one vpn?
once the vpn is created, whact the next steps to reach the services in the public ip?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.