Hello everyone,
i might need some help here as I think there might be some sort of bug.
So I was doing a Interface mode IPSec VPN connection to a Cisco ASA, everything was fine, VPN came up, Policies are set both ways to the Tunnel interface, Static routes are there.
If i try to initiate the connection from my end (Ping from one host to another host on both encryption domains) I see the packets going through the policy, and the other end sees the packet, but the Cisco firewall reports a mismatch of some sort, so the packets are getting encrypted and sent over the tunnel but it stops there.
Now if the connection is initiated from the Cisco side, and then I try that Ping again now everything works, so there isnt any Routing issues or policy issues, otherwise it would not work just by having the Cisco to establish the encryption domain between those specific subnets.
So now the strange part, this VPN is done with a Local and Remote Subnet set on the Phase2 on the VPN config as an Address Group, as there are 4 subnets on each side that need to use the VPN.
Now if I remove the group, and just add 1 subnet from each side by typing the IP address (10.10.10.0/24) as an example on both local and remote section of the Phase2 VPN connection, I send the tunnel down, I bring it back up and it works fine.
SO the problem seems to be I cannot use Group objects, but there isnt any way for me to add 4 different subnets by actually typing the address instead of using and Address object.
Anyone has any solutions for this?
Many Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hmmm I have just seen the Phase2 selectors, does that mean if I have 4 local subnets and 4 remote subnets I will need 16 Phase2 selections?
That surely cant be right.
No you can add 4x ph2 selectors. Try with the "ip address" 1st and then work to address-group. I seen the exact same issuesin v5.6.3 where fw.addr.obj gave issues but if you set a actually address it works.
e.g
config vpn ipsec phase2-interface
edit ph2_1
set phase1 name blahblah
set src-subnet 10.10.0.0/24
set dst-subnet 1.1.1.0/24
next
edit ph2_2
set phase1 name blahblah
set src-subnet 10.10.0.0/24
set dst-subnet 1.1.2.0/24
next
and so on...
Ken
PCNSE
NSE
StrongSwan
this is good news at least there is a fix, but because I have 4 Subnets on one side that need to be able to comunicate with the other 4, this originates 16 different combinations where it goes:
Local1 -- Remote1
Local1 -- Remote2
Loca1 -- Remote3
Local1 -- Remote4
Local2 -- Remote1
Local2 -- Remote2
Local2 -- Remote3
Local2 -- Remote4
an so on, i mean its not a problem its just seems too much clutter on the config to get around a problem that shouldnt be there.
Many Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.