Hi, I am a beginner who just started my journey with Fortigate. I am using Cisco ASA which is configured with remote access SSL VPN and users connect to VPN through Cisco AnyConnect client.
I am implementing FortiGate in the lab environment. I want to find out if it is possible to use Cisco AnyConnect client with FortiGate in SSL VPN?
If you happen to know any documentation or video tutorial related to configuration please share.
SSL VPN technology is often proprietary and does not work across vendors and clients.
IPSec VPN, however is open standard and you can use AnyConnect to initiate an IPSec tunnel to FortiGate.
Or, use the free FortiClient VPN for SSL VPN to the FortiGate. NO reason you can't have both installed on your PC.
Does anybody know if this works? To VPN into FortiGate with Cisco AnyConnect VPN client, using IPSec?
IPsec is an open standard. So any standards-compliant IPSec VPN client will be able to connect to the FortiGate IPSec remote access VPN.
Has anyone managed to put together a configuration that works for FortiOS 7.x and Anyconnect 4.x?
Hi @mrfelipe,
SSL VPN is not supposed to work with AnyConnect. You can either use SSL VPN web mode or tunnel mode with FortiClient. If you wish to use AnyConnect, you can configure Ipsec on FortiGate for this.
Regards,
Minh
I understand that SSLVPN is work only Forticlient, but in this case i tried to setup an ipsec vpn with anyconnect but i can't connect, on Forti side error is: ike V=root:0:d81232e7c2e796be/0000000000000000:383336: unexpected payload type 47
Hi @mrfelipe,
In this case, can you try to execute this command on FortiGate when try to connect VPN:
diag debug reset
diagnose vpn ike log filter rem-addr4
diagnose debug application ike -1
diag debug enable
Regards,
Minh
Hi mle2808
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E008003000008020000060300000802000007030000080200000503000008020000020300000803000000030000080400001303000008040000140300000804000015030000080400000F000000080400001000000094020100100300000C0100000C800E01000300000C0100000C800E00C00300000C0100000C800E00800300000802000006030000080200000703000008020000050300000802000002030000080300000C030000080300000D0300000803000002030000080300000E030000080400001303000008040000140300000804000015030000080400000F00000008040000102800004800130000B46FE15BD23254292D0F86FFB88F6D202EF01E13B6EF8661D181D58D692AD1F186D463E294707FF2EE488B310CF837BBB620326D70A1FFD9C5BD967B5D9715522B000018AE0C8F3A023A7052D8D33F95F4B51F6741FDF6D32B000017434953434F2D44454C4554452D524541534F4E2B00003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2B000018434953434F2D414E59434F4E4E4543542D4541502B000013434953434F2D4752452D4D4F4445032B000014434953434F2D4E47452D4C4556454C032B00001A434953434F2D414E59434F4E4E4543542D53545241502900001D434953434F2D414E59434F4E4E4543542D53545241502D44482900001C010040043C23778221BADAA1D12AF0A5E1FC9B752154C6992B00001C01004005BA59DBAC572892EC0D3B7623126001439DA45ED82F0000144048B7D56EBCE88525E7DE7F00D6C2D32900000E010000007038000202400000000800004016
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E0080
Hi @mrfelipe,
From Cisco forum, look like cipher is not supported on both side. Can you try to use sha256 or sha1 on both side and make sure both p1 and 2 is matching. Also try to use main mode v1 for the tunnel.
Regards,
Minh.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.