Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SoGo
New Contributor II

Created on ‎03-03-2022 09:55 AM

VPN IPSEC FORTIGATE - TELTONIKA RUT950

HI, 

I'm trying to perform an ipsec between a fortigate device and a teltonika rut950, and I can't get it, I'm looking for an idea of why or if there is no compatibility

SoGo_0-1646329825758.png

SoGo_1-1646329870666.png

SoGo_2-1646329894354.png

 

SoGo_3-1646329916145.png

SoGo_4-1646330046121.png

SoGo_5-1646330094147.png

 

 

Labels:
8257
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-03-2022 12:14 PM Edited on ‎03-03-2022 12:17 PM

What I can see in this IKE debug output is, despite what you showed on Teltonika side config, the router is initiating IKEv2 IPSec and the negotiation is successful all the way to the point the FGT side accepted and came up, then sent the reply back to the router. Then the router rejected.

 

I think the reason is you're using LAN side IP for identifier on the router's config. The FGT wouldn't check the received identifier unless you configured "peer ID" on the FGT side. But FGT doesn't send the identifier you configured on the router side unless you configure "local ID" on the FGT side.

 

First option I would try is to disable identification checking on the router side by like setting FQDN, and leave the FQDN config box empty, which I saw at Teltonika's KB.
https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Since this seems to be site-to-site, it wouldn't break anything without identification checking.

If you have to do it for security reason, you can try configuring peer ID/local ID on the FGT side to match the router side. There should be some FTNT KBs for that part of config but mostly for dialup IPSec situations.

 

Toshi

View solution in original post

8220
0 Kudos
9 REPLIES 9
Vando_Pereira
Staff
Staff

Created on ‎03-03-2022 10:15 AM Edited on ‎03-03-2022 10:25 AM

Hello,

 

Do you get any phase up ? 1 or 2 ?

 

First we need to try to get phase 1 up, can both devices ping each other ? 

Are they behind a NAT ?

In the second image in the network part, you have "Dialup" selected, is the other device supposed to initiate the vpn tunnel creation process ?

 

You can use the command: diagnose debug application ike -1 , and diag debug enable. To see the IKE messages, and see if there is any incompatibility in phase 1.

 

Then you can use the commands to check phase2:

  • get vpn ipsec tunnel details --> info for active ipsec tunnels
  • get vpn ipsec stats tunnel --> some tunnel stats

 

One of the key points must be, to see what IKE parameters does the Fortigate recieve and try to make them equal in the fortigate.

 

Best regards.

As you think, so shall you become.
8205
0 Kudos
SoGo
New Contributor II
In response to Vando_Pereira

Created on ‎03-03-2022 11:02 AM Edited on ‎03-03-2022 11:03 AM

i check the status of ike negotiation I can see that the tunnel rises and the negotiations are successful, until at a certain point it falls 

 

8201
0 Kudos
SoGo
New Contributor II
In response to SoGo

Created on ‎03-03-2022 11:10 AM

The scenario is a Fortigate device with a public IP and a Teltonik cellular network device, which does not have a public IP, so I chose the dial up option. In the debug messages, I can see that ike negotiations begin and these are successful, dynamic tunnels are created, routes are added, until. ike 3:Teltonika_0:167: dec D8E1C348F9957B6BD40C8667F56292282E20250800000002000000282900000040000000800000018 ike 3:Teltonika_0:167: received informational request ike 3:Teltonika_0:167: processing notify type AUTHENTICATION_FAILED ike 3:Teltonika_0:167: AUTH rejected by initiator ike 3:Teltonika_0:167: schedule delete of IKE SA d8e1c348f9957b6b/d40c8667f5629228 ike 3:Teltonika_0:167: scheduled delete of IKE SA d8e1c348f9957b6b/d40c8667f5629228 ike 3:Teltonika_0: deleting IPsec SA with SPI c31d7597 ike 3:Teltonika_0:Teltonika: deleted IPsec SA with SPI c31d7597, SA count: 0 ike 3:Teltonika:25: del route 30.0.10.0/255.255.255.0 oif Teltonika(47) metric 15 priority 0 ike 3:Teltonika_0: sending SNMP tunnel DOWN trap for Teltonika ike 3:Teltonika_0:Teltonika: delete

 

8197
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-03-2022 11:12 AM Edited on ‎03-03-2022 11:13 AM

Did you remove the ike debug output at your "FW-LAB" after posting once? I saw it in email update but don't see it here. 
But that output was for a different VPN coming from different IP with IKEv2.

You need to specify the peer IP when you run IKE debug with "diag vpn ike log-filter src-addr4 <peer_IP>".

 

Toshi

8195
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎03-03-2022 11:17 AM

Ok, now much better.
AUTH rejected means either identity or prehsare key is not matching.

8192
0 Kudos
SoGo
New Contributor II
In response to Toshi_Esumi

Created on ‎03-03-2022 11:19 AM

If I deleted some entries because it wouldn't let me upload the whole thing, I'm attaching the full output if you'd like to take a look, the device is one that I have to carry out the test before putting it in a productive environment, it is the only existing tunnel. It is worth mentioning that the device has multiple vdom enabled

 

https://mega.nz/file/ok1jWA6A#7JgoBUkfBqFL_myEW0ug_O_89btNGKkERjXCOuPH9Qo

8191
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-03-2022 12:14 PM Edited on ‎03-03-2022 12:17 PM

What I can see in this IKE debug output is, despite what you showed on Teltonika side config, the router is initiating IKEv2 IPSec and the negotiation is successful all the way to the point the FGT side accepted and came up, then sent the reply back to the router. Then the router rejected.

 

I think the reason is you're using LAN side IP for identifier on the router's config. The FGT wouldn't check the received identifier unless you configured "peer ID" on the FGT side. But FGT doesn't send the identifier you configured on the router side unless you configure "local ID" on the FGT side.

 

First option I would try is to disable identification checking on the router side by like setting FQDN, and leave the FQDN config box empty, which I saw at Teltonika's KB.
https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Since this seems to be site-to-site, it wouldn't break anything without identification checking.

If you have to do it for security reason, you can try configuring peer ID/local ID on the FGT side to match the router side. There should be some FTNT KBs for that part of config but mostly for dialup IPSec situations.

 

Toshi

8221
0 Kudos
SoGo
New Contributor II
In response to Toshi_Esumi

Created on ‎03-03-2022 01:46 PM

thanks Toshi, now is working

8169
0 Kudos
diego_S_Tecnetik
New Contributor
In response to Toshi_Esumi

Created on ‎02-21-2023 09:40 AM

diego_S_Tecnetik_0-1677001120595.png

i cant see this option, add vertion firmware in picture. you can help me?

5015
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.