Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SoGo
New Contributor II

VPN IPSEC FORTIGATE - TELTONIKA RUT950

HI, 

I'm trying to perform an ipsec between a fortigate device and a teltonika rut950, and I can't get it, I'm looking for an idea of why or if there is no compatibility

SoGo_0-1646329825758.png

SoGo_1-1646329870666.png

SoGo_2-1646329894354.png

 

SoGo_3-1646329916145.png

SoGo_4-1646330046121.png

SoGo_5-1646330094147.png

 

 

1 Solution
Toshi_Esumi
Esteemed Contributor III

What I can see in this IKE debug output is, despite what you showed on Teltonika side config, the router is initiating IKEv2 IPSec and the negotiation is successful all the way to the point the FGT side accepted and came up, then sent the reply back to the router. Then the router rejected.

 

I think the reason is you're using LAN side IP for identifier on the router's config. The FGT wouldn't check the received identifier unless you configured "peer ID" on the FGT side. But FGT doesn't send the identifier you configured on the router side unless you configure "local ID" on the FGT side.

 

First option I would try is to disable identification checking on the router side by like setting FQDN, and leave the FQDN config box empty, which I saw at Teltonika's KB.
https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Since this seems to be site-to-site, it wouldn't break anything without identification checking.

If you have to do it for security reason, you can try configuring peer ID/local ID on the FGT side to match the router side. There should be some FTNT KBs for that part of config but mostly for dialup IPSec situations.

 

Toshi

View solution in original post

9 REPLIES 9
Vando_Pereira

Hello,

 

Do you get any phase up ? 1 or 2 ?

 

First we need to try to get phase 1 up, can both devices ping each other ? 

Are they behind a NAT ?

In the second image in the network part, you have "Dialup" selected, is the other device supposed to initiate the vpn tunnel creation process ?

 

You can use the command: diagnose debug application ike -1 , and diag debug enable. To see the IKE messages, and see if there is any incompatibility in phase 1.

 

Then you can use the commands to check phase2:

  • get vpn ipsec tunnel details --> info for active ipsec tunnels
  • get vpn ipsec stats tunnel --> some tunnel stats

 

One of the key points must be, to see what IKE parameters does the Fortigate recieve and try to make them equal in the fortigate.

 

Best regards.

As you think, so shall you become.
SoGo
New Contributor II

i check the status of ike negotiation I can see that the tunnel rises and the negotiations are successful, until at a certain point it falls 

 

SoGo
New Contributor II

The scenario is a Fortigate device with a public IP and a Teltonik cellular network device, which does not have a public IP, so I chose the dial up option. In the debug messages, I can see that ike negotiations begin and these are successful, dynamic tunnels are created, routes are added, until. ike 3:Teltonika_0:167: dec D8E1C348F9957B6BD40C8667F56292282E20250800000002000000282900000040000000800000018 ike 3:Teltonika_0:167: received informational request ike 3:Teltonika_0:167: processing notify type AUTHENTICATION_FAILED ike 3:Teltonika_0:167: AUTH rejected by initiator ike 3:Teltonika_0:167: schedule delete of IKE SA d8e1c348f9957b6b/d40c8667f5629228 ike 3:Teltonika_0:167: scheduled delete of IKE SA d8e1c348f9957b6b/d40c8667f5629228 ike 3:Teltonika_0: deleting IPsec SA with SPI c31d7597 ike 3:Teltonika_0:Teltonika: deleted IPsec SA with SPI c31d7597, SA count: 0 ike 3:Teltonika:25: del route 30.0.10.0/255.255.255.0 oif Teltonika(47) metric 15 priority 0 ike 3:Teltonika_0: sending SNMP tunnel DOWN trap for Teltonika ike 3:Teltonika_0:Teltonika: delete

 

Toshi_Esumi
Esteemed Contributor III

Did you remove the ike debug output at your "FW-LAB" after posting once? I saw it in email update but don't see it here. 
But that output was for a different VPN coming from different IP with IKEv2.

You need to specify the peer IP when you run IKE debug with "diag vpn ike log-filter src-addr4 <peer_IP>".

 

Toshi

Toshi_Esumi
Esteemed Contributor III

Ok, now much better.
AUTH rejected means either identity or prehsare key is not matching.

SoGo
New Contributor II

If I deleted some entries because it wouldn't let me upload the whole thing, I'm attaching the full output if you'd like to take a look, the device is one that I have to carry out the test before putting it in a productive environment, it is the only existing tunnel. It is worth mentioning that the device has multiple vdom enabled

 

https://mega.nz/file/ok1jWA6A#7JgoBUkfBqFL_myEW0ug_O_89btNGKkERjXCOuPH9Qo

Toshi_Esumi
Esteemed Contributor III

What I can see in this IKE debug output is, despite what you showed on Teltonika side config, the router is initiating IKEv2 IPSec and the negotiation is successful all the way to the point the FGT side accepted and came up, then sent the reply back to the router. Then the router rejected.

 

I think the reason is you're using LAN side IP for identifier on the router's config. The FGT wouldn't check the received identifier unless you configured "peer ID" on the FGT side. But FGT doesn't send the identifier you configured on the router side unless you configure "local ID" on the FGT side.

 

First option I would try is to disable identification checking on the router side by like setting FQDN, and leave the FQDN config box empty, which I saw at Teltonika's KB.
https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Since this seems to be site-to-site, it wouldn't break anything without identification checking.

If you have to do it for security reason, you can try configuring peer ID/local ID on the FGT side to match the router side. There should be some FTNT KBs for that part of config but mostly for dialup IPSec situations.

 

Toshi

SoGo
New Contributor II

thanks Toshi, now is working

diego_S_Tecnetik

diego_S_Tecnetik_0-1677001120595.png

i cant see this option, add vertion firmware in picture. you can help me?

Labels
Top Kudoed Authors