Maybe my duckduckgo (read: googling) skills leave something to be desired, but I cannot for the life of me get my FortiGate 51E to connect to a SonicWall TZ210.
I have found https://support.software.dell.com/kb/sw13566 and http://kb.fortinet.com/kb/viewContent.do?externalId=11657 and while the instructions seem to cover the current SonicWall interface accurately, the FortiGate interface described in the articles seem out of date.
The net result is that the tunnel doesn't work; the SonicWall gives me a "IKE Initiator: Start Quick Mode (Phase 2)." in the log, but nothing more.
Does anyone know of a more recent write-up for FortiGates and SonicWalls?
One of our customers has Main mode IPSec (site-to-site) vpn between their Sonicwall to our FG1500D, but we didn't have to change anything specific for Sonicwall and just configured the same way we would do for FG to FG and it's working. We use the interface mode IPSec. You probably need to do sniffing and IKE application debugging at least on the FG side to see what's going on.
If I can chime in
1: Don't figure it like a fgt-2-fgt with typical quad 0.0.0.0s ( aka 0.0.0.0:0 )
2: set the proxy-ids for specific local/remote subnets ( aka src-subnet and dst-subnets)
Here's how we have a simple tunel cfg from a TLZ to FGT110C
SONICWALL
ZONE INSIDE 10.10.0.0/24
ZONE REMOTE 10.11.0.0/24 (FGT )
MD5
PSK 8charactersDHGRP5
PROPOSAL AES128
( if you enable PFS enable it on the FGT ( it should be on by default )
SET SA-keepAlives
FGT
config vpn ipsec phase1-interface
edit "FGT2SONIC" set interface "port1" set nattraversal disable set keylife 28800 set proposal aes128-md5 set dpd disable set dhgrp 5 set remote-gw x.x.x.x <-sonic wall address set psksecret dellsonicwall <-use a strong PSK next end
config vpn ipsec phase2-interface
edit "FGT2SONICP2" set phase1name "FGT2SONIC" set proposal aes128-sha1 set pfs disable set keepalive enable set auto-negotiate enable set keylifeseconds 3600 set src-subnet 10.11.0.0 255.255.255.0 set dst-subnet 10.10.0.0 255.255.255.0 next
config router static
edit 777
set dst 10.10.0.0/24
set dev FGT2SONIC
end
And apply your firewall policies
config firewall adress
edit local
set subnet 10.11.0.0/24
next
edit remote
set subnet 10.10.0.0/24
end
config firewall policy
edit 0
set srcintf port5
set dstintf FGT2SONIC
set srcaddr local
set dstaddr remote
set action accept
set schedule always
set logtraffic all
set service PING
set comment " for pings"
end
;)
PCNSE
NSE
StrongSwan
hi all
Can help me on this now i am geeting this error gotm sonicwall
IKE Initiator: Proposed IKE ID mismatch
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.