Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
whanson
New Contributor

Created on ‎02-21-2012 06:41 AM

VPN encryption domain on VIP

Had this setup with a PIX515 fairly easily, just can' t seem to get it to translate to my Fortigate 60C. Here is the VPN setup from our customer. (IPs have been randomized, sort of) Parameter - Customer - Us VPN Gateway - 135.4.4.51 - 107.2.2.125 Ecryption Domain - 19.0.0.0/8 - 107.2.2.117 Support key exchanged for subnets is - ON - ON Encryption - IKE:AES256:SHA - IKE:AES256:SHA IKE phase1 timeout - 1440 min - 1440 min IPSEC (phase 2) timeout - 3600 sec - 3600 sec DH group for P1 - 2 - 2 PFS - Disabled - Disabled Keepalive - Disabled Disabled I' ve tried both policy VPN and interface VPN setups, they just wont seem to connect. is what extra info can I post to help figure this mess out. I' m about to setup the PIX just to get this tunnel working again. config vpn ipsec phase1 edit " vpnCUSTpol" set interface " wan1" set nattraversal disable set dhgrp 2 set keylife 86400 set proposal aes256-sha1 set dpd disable set remote-gw 135.4.4.51 set psksecret ENC 7nV0BleK7zZepNi8NLPE6wMIGlpFOGIAbcYNTuiLyq+mTwhJvob8yjughpyZmcJcpILwAu8r5Hx8z0Xa3Jl6v8XVrhAiEX8qqvQLs4VolQkhJBiH set auto-negotiate disable next end config vpn ipsec phase2 edit " p2CUSTpol" set dst-addr-type name set pfs disable set phase1name " vpnCUSTpol" set proposal des-md5 set replay disable set src-addr-type ip set dst-name " VPN-Cust" set keylifeseconds 3600 set src-start-ip 107.2.2.117 next end
Thanks, Wes
Thanks, Wes
Preview file
18 KB
11204
0 Kudos
8 REPLIES 8
emnoc
Esteemed Contributor III

Created on ‎02-21-2012 09:27 AM

Are you 100% sure that your clients are being NAT' d behind the VIP address 107.2.2.117? Can you show us the associated fwpolicies?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6211
0 Kudos
rwpatterson
Valued Contributor III
In response to emnoc

Created on ‎02-21-2012 11:17 AM

config vpn ipsec phase2 edit " p2CUSTpol" set dst-addr-type name set pfs disable set phase1name " vpnCUSTpol" set proposal des-md5 set replay disable set src-addr-type ip set dst-name " VPN-Cust" set keylifeseconds 3600 set src-start-ip 107.2.2.117 next end
In the past, The ' set dst-addr-type name' didn' t always work between FGTs and other vendors. Try using the IP address instead.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
6211
0 Kudos
whanson
New Contributor

Created on ‎02-21-2012 12:47 PM

Are you 100% sure that your clients are being NAT' d behind the VIP address 107.2.2.117?
No, I' m not... And it should only be one client, the rest of the network is NAT' d out the WAN1 interface.
Try using the IP address instead.
Did that, VPN still won' t come up. NO-PROPOSAL-CHOSEN is what the log says. I' m mostly interested in getting the VPN up, then working on traffic flow. That should be possible shouldn' t it?
Thanks, Wes
Thanks, Wes
6211
0 Kudos
rwpatterson
Valued Contributor III
In response to whanson

Created on ‎02-21-2012 12:56 PM

If your policy is in place, check to make sure the quick mode selectors match what the Cisco has, and check that both have the same PFS settings in phase 2.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
6211
0 Kudos
whanson
New Contributor

Created on ‎02-21-2012 12:59 PM

Just got the tunnel to come up. It should have been AES256-SHA in P1 and P2. I saw somewhere else here that Interface mode with a NAT Pool for a single address, would be the way to go. Give that a try next. Can' t set destination Address in P2 interface mode. ??
Thanks, Wes
Thanks, Wes
6211
0 Kudos
whanson
New Contributor

Created on ‎02-22-2012 05:57 AM

What I really need to do is outlined in the first 3 posts here. But I seem to be unable to get the tunnel to come up in Interface mode. I assume this is because I cannot set the Destination Address in the Phase2 configuration, when in Interface mode. Which seems to be killing me since I' m trying to connect to a Cisco ASA.
Thanks, Wes
Thanks, Wes
6211
0 Kudos
asbeck
New Contributor

Created on ‎02-22-2012 06:56 AM

Whanson, To resolved your problem try with information below: Phase 2: Add command set use-natip disable In Firewall Policy: Add command set natip 107.2.2.117 255.255.255.255 Your configuration in Firewall Policy, that igual this: config firewall policy edit XX set srcintf " port1" set dstintf " wan1" set srcaddr " 192.168.100.73" set dstaddr " VPN-Cust" set action ipsec set schedule " always" set service " ANY" set logtraffic enable set logtraffic-app disable set natip 107.2.2.117 255.255.255.255 set inbound enable set outbound enable set natinbound enable set natoutbound enable set vpntunnel " vpnCUSTpol" next end
6211
0 Kudos
whanson
New Contributor

Created on ‎02-22-2012 07:18 AM

That got it in Policy mode! Thank you!
Thanks, Wes
Thanks, Wes
6211
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.