Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: IPSec VPN behind DSL router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN behind DSL router
Hi all,
I am trying to get an IPSEC connection between two Fortigate devices, where one is behind a static IP address and the other behind a DSL router and uses a dynamic DNS entry.
The VPN will not come up, on the firewall with the static address (remote to me) the IPsec phase 1 error shown is
no matching gateway for new requestand on the local firewall that sits behind the DSL router the P-1 process appears to be successful (event log shows a success message for P-1). I have configured both sides according to the FortiGate IPSec VPN handbook, section Dynamic DNS Configuration, using policy-based security policies. Can anyone explain me what the error message means? When I enable debug on the remote end, the only error message I see for ike is :
gw negotiation timeout
Kind regards,
Jaap
Kind regards, Jaap
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m not good at guessing but I' d like to comment anyhow:
- try to get rid of policy based VPN - the only reason for it to stay is VPN in Transparent Mode. You' ll make your life a LOT easier with interface mode.
- in my experience tunnelling through a (cheap) DSL router can be time consuming, hair graying and unsuccessful in the end. Partly because some routers ' detect' IPsec traffic and try to answer themselves instead of handing it over.
I assume you have set up the FGT as ' exposed host' or all-ports-no-questions-asked forwarding. Here it depends on what the DSL router will forward. Initially, ESP is used which is a protocol not included in TCP/IP and as such might not be forwarded at all. During negotiations, the FGT changes from ESP to UDP port 500 to UDP port 4500, always assuming you have checked " NAT-traversal" support in phase2 (or 1). Again, some routers just can' t get their act together and see these port changes as new sessions which breaks the tunnel negotiations.
And so on and on...
To make it short: if you can configure the DSL router as a modem in ' bridged mode' , without any config on it, then it will work almost 100% of the time. You put the PPPoE credentials onto the FGT (interface config for WAN port) so that the FGT dials out to the provider. Apart from central configuration this setup makes sure that the FGT obtains the public WAN IP which might be used in the IPsec config.
I' ve setup many locations with a DSL modem/FGT combo with 100% success.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your comments, Ede.
It might be the router where the problem lies. The router terminates a fibre-optic connection that is used for internet access, telephone and internet TV.
I have set up TCP and UDP port forwarding on the router to allow the required traffic onwards to the firewall, but this did not help.
This week I have unsuccessfully tried to do exactly as you suggested, e.g. put it in bridged mode, set the access credentials on the FG, and allow the firewall to receive the public IP address. Eventhough the mode appears selectable in the interface of the router (' IP Passthrough' ), it apparently is not an allowed mode for it doesn' t seem to be working. So I guess because of the extended services that are being delivered, this may have been blocked.
I will give interface mode a try, as you suggest, and will try to get more information on the IP passthrough option of the router.
Thanks, have a great weekend.
Kind regards,
Jaap
Kind regards, Jaap
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK - found an interesting article about the router I am using (Swisscom Centro Grande):
http://www.sychold.ch/swisscoms-pirelli-centro-grande-offnen
This seems to indicate exactly what I said in my earlier post, that the firmware has certain functionality disabled by the ISP and that includes bridged mode.
But there is a mode available with all default features, and a return to supported mode is possible. So I' ll be giving this a try.
Cheers.
Kind regards,
Jaap
Kind regards, Jaap
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this might help....
You have to do a PORT FORWARDING in the DSL router of the following ports...
50(tcp/udp) - Encapsulation Header (ESP)
51(tcp/udp) - Authentication Header (AH)
500(udp) - Internet Key Exchange (IKE)
So, when the request get to the DSL, it' s going to send it to the fortinet and they' re going to be able to make the negotiation...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
50(tcp/udp) - Encapsulation Header (ESP) 51(tcp/udp) - Authentication Header (AH) 500(udp) - Internet Key Exchange (IKE)ESP and AH are protocols number 50 and 51 respectively and not ports. ALso keep in mind NAT-T typically defaults to udp 4500
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,692 -
FortiClient
1,762 -
5.2
801 -
FortiManager
728 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.