This a VPN tunnel to a datacenter with Ciscos with two Phase 2 tunnels. Both are natted because of address conflicts. Interface 2 is going to a Cisco 800 series. Interface 2 60D-192.168.100.1<>ASA-192.168.100.2<>ASA-172.20.2.0/24. Traffic passed through the VPN until I replaced an ASA 505 with a 60D. Never attempted this, it seem like in should work. I'll show the relevant sections and the trace I'm getting. Be grateful for suggestions . .
Policy--Working Interface 1 to tunnel set srcintf "internal1" set dstintf "toDell" set srcaddr "dot1-add" set dstaddr "toDell_remote" set action accept set schedule "always" set service "ALL" set nat enable set srcintf "toDell" set dstintf "internal1" set srcaddr "all" set dstaddr "22nat" set action accept set schedule "always" set service "ALL"
Policy--Not working Interface 2 to Tunnel set srcintf "internal2" set dstintf "toDell" set srcaddr "all" set dstaddr "toDell_remote" set action accept set schedule "always" set service "ALL" set nat enable
set srcintf "toDell" set dstintf "internal2" set srcaddr "all" set dstaddr "23nat" set action accept set schedule "always" set service "ALL"
VIP
edit "22nat" set extip 172.22.0.1-172.22.0.254 set extintf "toDell" set mappedip "172.20.1.1-172.20.1.254" next edit "23nat" set extip 172.23.0.1-172.23.0.254 set extintf "toDell" set mappedip "172.20.2.1-172.20.2.254"
Phase 2 Working edit "toDell" set phase1name "toDell" set proposal 3des-md5 set pfs disable set replay disable set comments "VPN: toDell" set keylifeseconds 28800 set src-subnet 172.22.0.0 255.255.255.0 set dst-subnet 10.1.96.0 255.255.240.0 Phase 2 Not working edit "smtodell" set phase1name "toDell" set proposal 3des-md5 set pfs disable set replay disable set keylifeseconds 28800 set src-subnet 172.23.0.0 255.255.255.0 set dst-subnet 10.1.96.0 255.255.255.0
Trace Working
id=20085 trace_id=114 func=print_pkt_detail line=5293 msg="vd-root received a packet(proto=1, 172.20.1.12:2->10.1.100.11:2048) from internal1. type=8, code=0, id=2, seq=7561." id=20085 trace_id=114 func=resolve_ip_tuple_fast line=5368 msg="Find an existing session, id-0000e1df, original direction" id=20085 trace_id=114 func=npu_handle_session44 line=907 msg="Trying to offloading session from internal1 to toDell, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00002000" id=20085 trace_id=114 func=__ip_session_run_tuple line=3093 msg="SNAT 172.20.1.12->172.22.0.12:2" id=20085 trace_id=114 func=ipsecdev_hard_start_xmit line=144 msg="enter IPsec interface-toDell" id=20085 trace_id=114 func=esp_output4 line=1174 msg="IPsec encrypt/auth" id=20085 trace_id=114 func=ipsec_output_finish line=534 msg="send to 168.215.61.209 via intf-wan1"
Trace-Not working
id=20085 trace_id=851 func=print_pkt_detail line=4861 msg="vd-root received a packet(proto=1, 172.20.2.183:1->10.1.100.11:2048) from internal2. type=8, code=0, id=1, seq=1519." id=20085 trace_id=851 func=resolve_ip_tuple_fast line=4925 msg="Find an existing session, id-012972b2, original direction" id=20085 trace_id=851 func=npu_handle_session44 line=904 msg="Trying to offloading session from internal2 to toDell, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=851 func=__ip_session_run_tuple line=2823 msg="SNAT 172.20.2.183->172.23.0.183:1" id=20085 trace_id=851 func=ipsecdev_hard_start_xmit line=122 msg="enter IPsec interface-toDell" id=20085 trace_id=851 func=ipsec_common_output4 line=766 msg="No matching IPsec selector, drop"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's saying "No matching IPsec selector, drop" because dst:10.1.100.11 is not inside of "set dst-subnet 10.1.96.0 255.255.255.0".
That has to be natted on the other end of the tunnel--the same address is working on the other phase 2.
Working one has /20 for the mask, not /24.
"set dst-subnet 10.1.96.0 255.255.240.0"
Thank you so much. I was assuming it was due to the 2nd interface--not a simple oversight.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.