Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
In my opinion, I would change the tunnel type from policy based to interface based. At this point you could simply use the VIP as the destination.I setup interface mode VPN between the cisco and Fortigate. (used the Gre over IPsec Guide) The VPN comes up. I can see the SPIs being set and tunnel shows up. Put I cannot ping the Tunnel ip addresses. When i do so i get these traffic logs on fortigate 10: 2011-11-20 14:05:37 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd=" root" src=208.x.x.x8 srcname=208.x.x.x8 src_port=0 dst=208.x.x.x7 dstname=208.x.x.x7 dst_country=" United States" dst_port=0 service=other proto=47 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" root" dst_int=" N/A" SN=97151 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" iprope_in_check() check failed, drop" carrier_ep=" N/A" profilegroup=" N/A" This is when I issue a Ping 2: 2011-11-20 14:05:58 log_id=0038000006 type=traffic subtype=other pri=warning status=deny vd=" root" src=208.x.x.x7 srcname=208.x.x.x7 src_port=0 dst=208.x.x.x8 dstname=208.x.x.x8 dst_country=" United States" dst_port=770 service=3/2/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" N/A" dst_int=" N/A" SN=4294967295 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" no protocol tuple found, drop." carrier_ep=" N/A" profilegroup=" N/A" These are the firewall rules edit 10 set srcintf " DMZ" set dstintf " gre1" //gre1 is the gre interface set srcaddr " all" //tocisco is the ipsec interface. set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 20 set srcintf " gre1" set dstintf " DMZ" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 30 set srcintf " gre1" set dstintf " tocisco" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 40 set srcintf " tocisco" set dstintf " gre1" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" Please advise if you would like the entire configs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.