Hi, guys, can you help me? I am having troubles with connecting to a remote vpn via IPsec. They are using public IP addresses for their terminals. (See image attached). I am done with static routes, ipv4 policies, ipsec tunnels. I've done it a couple of times but this is the first time that I am connecting our local PRIVATE IP ADDRESSES (10.10.0.0 and 10.10.70.0) to remote Public ip addresses (216.242.170.0/26) Do I need to do something? Our phase 1 and phase 2 are the same even our preshared keys These IPs are just examples.
Solved! Go to Solution.
What diagnostic did you do if any ?
> I would start by double checking phase1 and 2 is up,
diag vpn ike gateway list
diag vpn tunnel list
> next I would verify your route table
get router info routing all | grep 216.242.170.0
> if all of these are a positive, check our policy/objects are correct ( e.g no typos )
> and then a "diag debug flow"
Ken Felix
PCNSE
NSE
StrongSwan
Just build 2
e.
config vpn ipsec phase2-interface edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet1" set dst-name "Imagine-IPRemote
next
edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet2" set dst-name "Imagine-IPRemote
end
Just name 2 objects for the subnet and use them in the src-name
Ken Felix
PCNSE
NSE
StrongSwan
What diagnostic did you do if any ?
> I would start by double checking phase1 and 2 is up,
diag vpn ike gateway list
diag vpn tunnel list
> next I would verify your route table
get router info routing all | grep 216.242.170.0
> if all of these are a positive, check our policy/objects are correct ( e.g no typos )
> and then a "diag debug flow"
Ken Felix
PCNSE
NSE
StrongSwan
Hi, Emnoc,
Sorry for the late reply. Thank you for your advise. Im still new to Fortigate so bear with me. Here are the results:
diag vpn ike gateway list
vd: root/0 name: Imagine-IPsec version: 1 interface: port2 10 addr: 27.110.219.186:500 -> 216.240.169.50:500 created: 4s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 1176320 dca29d3afb5e81d0/0000000000000000 direction: responder status: connecting, state 3, started 4s ago
diag vpn tunnel list
name=Imagine-IPsec ver=1 serial=4b2 27.110.219.186:0->216.240.169.50:0 bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=10 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=Imagine-IPsec proto=0 sa=0 ref=2 serial=15 auto-negotiate src: 0:10.10.0.0/255.255.248.0:0 0:10.70.0.0/255.255.248.0:0 dst: 0:216.240.172.0/255.255.255.192:0
get router info routing al
S 216.240.172.0/26 [1/0] via 203.177.24.241, port1 [1/0] via 27.110.219.185, port2
Also attached the real ip and stuff. I really need some help. hehe
Image link : [link]https://ibb.co/XpTjDMw[/link]
So this is going to need deep diagnostics
1> you are responding to the cisco (that good in some degree)
2> phase1 is NOT up
3> vpn Imagine-IPsec needs to be analyze as to why not negotiating IKE
4> that route for the destination should be pointed to interface "Imagine-IPsec"
Can you dump your following cfgs
show vpn ipsec phase1-interface Imagine-IPsec
show vpn ipsec phase2-interface
show router < route #>
show firewall policy <policy number>
Let's double check your cfg. Once you have confirm the cfg we need to run "diag debug application ike -1" to see what debug details are present.
Ken Felix
PCNSE
NSE
StrongSwan
show vpn ipsec phase1-interface Imagine-IPsec config vpn ipsec phase1-interface edit "Imagine-IPsec" set interface "port2" set peertype any set proposal aes256-sha1 set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set dhgrp 5 set remote-gw 216.240.169.50 set psksecret ENC Gp+DtgAlu2qttsi9IBQDkJ/zIEzB2ewPl2XrBCINxPY/SU6Vzahu7C+Bju2V5S4nvJoln+iK5Oa0hS/W7Sb/LXRsB3EQ68+BwJB/7DRH2DZs3iUXTM/GXQNL0VCy6ftOZCk7eGZirUEZlD4O2e/yTKBo90bqbu/cNU1+uIcMH4vGvA6CUI7fF1R8Gzs9PvfkdA3H5w== next end
show vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local" set dst-name "Imagine-IPRemote" next
Show router static
set device "Imagine-IPsec" set comment "VPN: Imagine-IPsec (Created by VPN wizard)" set dstaddr "Imagine-IPRemote" next edit 16 set distance 254 set comment "VPN: Imagine-IPsec (Created by VPN wizard)" set blackhole enable set dstaddr "Imagine-IPRemote"
show firewall policy 53
set name "vpn_Imagine-IPsec_remote" set uuid 7f379932-c96c-51eb-b230-b58778cee77e set srcintf "Imagine-IPsec" set dstintf "port5" set srcaddr "Imagine-IPRemote" set dstaddr "Imagine-IPsec_local" set action accept set schedule "always" set service "ALL" set fsso disable set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
show firewall policy 52
set name "vpn_Imagine-IPsec_local" set uuid 7f1f2e2e-c96c-51eb-a09c-085314461e30 set srcintf "port5" set dstintf "Imagine-IPsec" set srcaddr "Imagine-IPsec_local" set dstaddr "Imagine-IPRemote" set action accept set schedule "always" set service "ALL" set fsso disable set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
Imagine-IPRemote is 216.240.172.0/26
Imagine-IPsec_local is an address group of 10.10.0.0/21 and 10.70.0.0/21
I also just used the static route from 216.240.172.0/26 to interface Imagine-IPsec
Thank you for walking me through.
Okay your cfg looks not to bad observations
show vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local" set dst-name "Imagine-IPRemote
I do not trust src-names in phase2-interfaces is the cisco side expecting two IPSEC-SA ?
and on phase1
Are we sure of the settings for the proposal? ikeversion, dhgrp, .....
Basically what was cfg on the remote-device?
Ken Felix
PCNSE
NSE
StrongSwan
Yup they are expecting two subnets from us. One from local which is 10.10.0.0/21 and one from work from home employees via sslvpn 10.70.0.0/21. Should I not group them? and create another Phase two for the 10.70?
Here's the image link for the proposals.
[link]https://ibb.co/m635jvJ[/link]
Just build 2
e.
config vpn ipsec phase2-interface edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet1" set dst-name "Imagine-IPRemote
next
edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet2" set dst-name "Imagine-IPRemote
end
Just name 2 objects for the subnet and use them in the src-name
Ken Felix
PCNSE
NSE
StrongSwan
Hi, Emnoc,
Already got an up on 10.70.0.0/21 - Imagine-IPsec_local-subnet_2
Thank you, Still having troubles with 10.10.0.0/21
config vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local_subnet_1" set dst-name "Imagine-IPRemote" next end config vpn ipsec phase2-interface edit "Imagine-IPsec2" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local_subnet_2" set dst-name "Imagine-IPRemote" next end
Hi, Emnoc,
Thank you for all your help. I just talked with the people from the cisco router and they are still checking with 10.10.0.0/21, they prioritized 10.70.0.0/21
Thank you!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.