Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
usmanjawa
New Contributor

Remote access SSL VPN with Cisco Anyconnect on Fortigate

Hi, I am a beginner who just started my journey with Fortigate.  I am using Cisco ASA which is configured with remote access SSL VPN and users connect to VPN through Cisco AnyConnect client.

 

I am implementing FortiGate in the lab environment. I want to find out if it is possible to use Cisco AnyConnect client with FortiGate in SSL VPN?

 

If you happen to know any documentation or video tutorial related to configuration please share.

10 REPLIES 10
gfleming
Staff
Staff

SSL VPN technology is often proprietary and does not work across vendors and clients.


IPSec VPN, however is open standard and you can use AnyConnect to initiate an IPSec tunnel to FortiGate.

 

Or, use the free FortiClient VPN for SSL VPN to the FortiGate. NO reason you can't have both installed on your PC.

Cheers,
Graham
per_fiksit
New Contributor

Does anybody know if this works? To VPN into FortiGate with Cisco AnyConnect VPN client, using IPSec? 

gfleming

IPsec is an open standard. So any standards-compliant IPSec VPN client will be able to connect to the FortiGate IPSec remote access VPN.

Cheers,
Graham
mrfelipe
New Contributor

Has anyone managed to put together a configuration that works for FortiOS 7.x and Anyconnect 4.x?

mle2802

Hi @mrfelipe

SSL VPN is not supposed to work with AnyConnect. You can either use SSL VPN web mode or tunnel mode with FortiClient. If you wish to use AnyConnect, you can configure Ipsec on FortiGate for this.

Regards,
Minh

mrfelipe

I understand that SSLVPN is work only Forticlient, but in this case i tried to setup an ipsec vpn with anyconnect but i can't connect, on Forti side error is: ike V=root:0:d81232e7c2e796be/0000000000000000:383336: unexpected payload type 47

mle2802

Hi @mrfelipe,

In this case, can you try to execute this command on FortiGate when try to connect VPN:

diag debug reset 
diagnose vpn ike log filter rem-addr4  
diagnose debug application ike  -1 
diag debug enable 

Regards,
Minh

mrfelipe

Hi mle2808

 

ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383064: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E008003000008020000060300000802000007030000080200000503000008020000020300000803000000030000080400001303000008040000140300000804000015030000080400000F000000080400001000000094020100100300000C0100000C800E01000300000C0100000C800E00C00300000C0100000C800E00800300000802000006030000080200000703000008020000050300000802000002030000080300000C030000080300000D0300000803000002030000080300000E030000080400001303000008040000140300000804000015030000080400000F00000008040000102800004800130000B46FE15BD23254292D0F86FFB88F6D202EF01E13B6EF8661D181D58D692AD1F186D463E294707FF2EE488B310CF837BBB620326D70A1FFD9C5BD967B5D9715522B000018AE0C8F3A023A7052D8D33F95F4B51F6741FDF6D32B000017434953434F2D44454C4554452D524541534F4E2B00003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2B000018434953434F2D414E59434F4E4E4543542D4541502B000013434953434F2D4752452D4D4F4445032B000014434953434F2D4E47452D4C4556454C032B00001A434953434F2D414E59434F4E4E4543542D53545241502900001D434953434F2D414E59434F4E4E4543542D53545241502D44482900001C010040043C23778221BADAA1D12AF0A5E1FC9B752154C6992B00001C01004005BA59DBAC572892EC0D3B7623126001439DA45ED82F0000144048B7D56EBCE88525E7DE7F00D6C2D32900000E010000007038000202400000000800004016
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: responder received SA_INIT msg
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (19): CISCO-DELETE-REASON
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (55): CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc.
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (20): CISCO-ANYCONNECT-EAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (15): 434953434F2D4752452D4D4F444503
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (16): 434953434F2D4E47452D4C4556454C03
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (22): CISCO-ANYCONNECT-STRAP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID unknown (25): CISCO-ANYCONNECT-STRAP-DH
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:d1a0e69ef9568be9/0000000000000000:383065: unexpected payload type 47
ike V=root:0: comes 45.95.45.199:37014->212.108.232.11:500,ifindex=29,vrf=0....
ike V=root:0: IKEv2 exchange=SA_INIT id=d1a0e69ef9568be9/0000000000000000 len=698
ike 0: in D1A0E69EF9568BE900000000000000002120220800000000000002BA220001140200007C0101000D0300000C01000014800E01000300000C01000014800E00C00300000C01000014800E0080

mle2802
Staff
Staff

Hi @mrfelipe,

From Cisco forum, look like cipher is not supported on both side. Can you try to use sha256 or sha1 on both side and make sure both p1 and 2 is matching. Also try to use main mode v1 for the tunnel.

Regards,
Minh.

Top Kudoed Authors