hi there. i have a problem with fortigate IPSEC actually i'm not using the fortigate products thats why im posted my problem.
So...
i have 2 tunnels VPN between
fortigate and zywall - successful installed no problem but between cisco and fortigate c300 i have the error message from VPN LOGs (scn attached below) i dont now what it is mean. i asked from google whats going on whats the problem...? ok this's my [style="background-color: #ff9900;"]diag debug[style="background-color: #ffffff;"] from ssh[/style][/style]
DYU-T1-FF-MIT-FW-01 $ ike 0:IPSEC_AMADEUS: auto-negotiate connection ike 0:IPSEC_AMADEUS: created connection: 0xa5230e8 2 10.10.10.1->10.10.10.2:500. ike 0:IPSEC_AMADEUS:IPSEC_AMADEUS: chosen to populate IKE_SA traffic-selectors ike 0:IPSEC_AMADEUS: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:IPSEC_AMADEUS:702734: out 354748B3240D3BDD00000000000000002120220800000000000000EC220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000000513BEDC13A1C605504A645F6AFCE19B0729F508263B8C5E1D692DBB37DCC347ADDFE0927E683766B175C2F8F14D048AF3719F63C952E21C3C2268F5ABF67EB189D01F77BE99FF14408E73C9A85C0529825E6FC309305A633C8575F02113B8911A8BDB6F345989D235B1D6B1A43F0C89C7EF265BCAC6DDC5A866952FEEB33DD3BA2F59F0000001477EBCD7B8A1CC2BA97F88912856038AD ike 0:IPSEC_AMADEUS:702734: sent IKE msg (SA_INIT): 10.10.10.1->10.10.10.2:500, len=236, id=354748b3240d3bdd/0000000000000000 ike 0: comes 10.10.10.1->10.10.10.2:500,ifindex=2.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=354748b3240d3bdd/86c7b0e3733f722d len=405 ike 0: in 354748B3240D3BDD86C7B0E3733F722D212022200000000000000195220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000001AFFB3D929DA70A43866698F8966510922D9EB5E7FB4DF74FBF0BD8B8A85D7F113B4E10375668EB950B824A3EFC94D27FD93AAE5FE02E172A0FCBFC12C84CE3DB7201451B7FA9C72EC23DF9AC911D3B17601BAD0A9497E51E89BC19AF65FB74A5CFAE4757B61530621AE18D90D89A5AFB242F6D48E14283C151D4ADC068D4D01ED72D5C2B000044CD10FD89438A363CE61F485AF3B20FB88E172620584D856C1F7123D9411ECE9F3375510A022730C0DCB657B7EE8AAFDD3EB7904B150E0E6608CE0446C087089A2B000017434953434F2D44454C4554452D524541534F4E2B00003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2B000013434953434F2D4752452D4D4F444502000000144048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:IPSEC_AMADEUS:702734: initiator received SA_INIT response ike 0:IPSEC_AMADEUS:702734: incoming proposal: ike 0:IPSEC_AMADEUS:702734: proposal id = 1: ike 0:IPSEC_AMADEUS:702734: protocol = IKEv2: ike 0:IPSEC_AMADEUS:702734: encapsulation = IKEv2/none ike 0:IPSEC_AMADEUS:702734: type=ENCR, val=AES_CBC (key_len = 256) ike 0:IPSEC_AMADEUS:702734: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:IPSEC_AMADEUS:702734: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:IPSEC_AMADEUS:702734: type=DH_GROUP, val=ECP521. ike 0:IPSEC_AMADEUS:702734: matched proposal id 1 ike 0:IPSEC_AMADEUS:702734: proposal id = 1: ike 0:IPSEC_AMADEUS:702734: protocol = IKEv2: ike 0:IPSEC_AMADEUS:702734: encapsulation = IKEv2/none ike 0:IPSEC_AMADEUS:702734: type=ENCR, val=AES_CBC (key_len = 256) ike 0:IPSEC_AMADEUS:702734: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:IPSEC_AMADEUS:702734: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:IPSEC_AMADEUS:702734: type=DH_GROUP, val=ECP521. ike 0:IPSEC_AMADEUS:702734: lifetime=86400 ike 0:IPSEC_AMADEUS:702734: IKE SA 354748b3240d3bdd/86c7b0e3733f722d SK_ei 32:EDFAFCCC6E41616A64568D5AD4D537E7EE84D3498DDF189B7D74B8EBC203785B ike 0:IPSEC_AMADEUS:702734: IKE SA 354748b3240d3bdd/86c7b0e3733f722d SK_er 32:82A2688D8CC64C80A7FACAED2A1DFD6A26F2AF7BCC3F4BD79F810A9BBD136108 ike 0:IPSEC_AMADEUS:702734: IKE SA 354748b3240d3bdd/86c7b0e3733f722d SK_ai 64:1160304CDBD5A43DD648FBA98AE5FEC16F199D28E79246AF34E94697DC49EF59A7FA647BA2D098D543E8EED618A0B6304AF49282A7A0FA945C881C2111AADB7B ike 0:IPSEC_AMADEUS:702734: IKE SA 354748b3240d3bdd/86c7b0e3733f722d SK_ar 64:5833C49F18FDE89EDDC3E02FFE9BA868D719F1B88FADC7109DE4A7EC863A8C31F652AF757CA61844B53610576A3A9EB49CA8A4E38722EB8250F2DEE25A0923E6 ike 0:IPSEC_AMADEUS:702734: initiator preparing AUTH msg ike 0:IPSEC_AMADEUS:702734: sending INITIAL-CONTACT ike 0:IPSEC_AMADEUS:702734: enc 2900000C010000005BDAA3AC270000080000400029000048020000002EF1B55DAEA59AABB9C99158EB48611D24038804010EA0A4B0BC03E36440655A57BF1CB18B24F56C22C4DA27186FF31625EA184D27FF785628C5825C4B446EE621000008000040242C00002C0000002801030403286AD0E30300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF000000A80A000000070000100000FFFFAB1124BFAB1124BF070000100000FFFFAB1126BFAB1126BF070000100000FFFFAB112602AB112602070000100000FFFFC29CAACFC29CAACF070000100000FFFFC24CA621C24CA621070000100000FFFFAB1125BFAB1125BF070000100000FFFFAB1127BFAB1127BF070000100000FFFFAB112702AB112702070000100000FFFFC29CAAD0C29CAAD0070000100000FFFFC24CA622C24CA6220F0E0D0C0B0A0908070605040302010F ike 0:IPSEC_AMADEUS:702734: out 354748B3240D3BDD86C7B0E3733F722D2E20230800000001000001B02300019421CD20EB5E9C4BAF8D3555A3DED9720C5F5E17FF617748C8B5414BF9CC1C5A6FDCB25CC7335074D4A28E46D083EA12107E39C439FD297D5176D2451AFDCF65648076658EC16C0BE816196DBBCAC59CA8976D0A99A0A829C003879C86CAF4887E8A91060E07440988E99596E298C3651BE7FA040C4352FAF8328AF5559D37C2030CE856F10E1ACEF626C2AEDEC44E63BFC7FC166A280B6F5A4CEEA2BC707B7E83CE18B8F7D38F70DF848A48129F3D359A77AB06A0973B67B052BE7565CC6663884D99EB15F5D7356EC10FAAF27A9FD96667BE4D5F1E6FB025485A9F6D5F0C9E808C9E29B2611B5CB2BB07FDFF5294E9DBE3EBEB5B92D882D932F0D7AD14FFC7B569E96D4D06D5E423DD849B0B45602F327D6CF087572F70EB050ECADB5A595F3160337B29851E8A30B8C66A8CFD9468FF990A801DA5E732CB142E6B5C284B66FF545BB9E74C7F766294A4EC6979D60E4BE1169283C3D33FD03C7FB036E405373D85096C7966604E8371D953F6F1D8B8C2B906DAE404A543BD6711263BBFA32325EA1CF0805D720EBAD9AFD8467F35CCCF ike 0:IPSEC_AMADEUS:702734: sent IKE msg (AUTH): 10.10.10.1->10.10.10.2:500, len=432, id=354748b3240d3bdd/86c7b0e3733f722d:00000001 ike 0: comes 10.10.10.1->10.10.10.2:500,ifindex=2.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=354748b3240d3bdd/86c7b0e3733f722d:00000001 len=208 ike 0: in 354748B3240D3BDD86C7B0E3733F722D2E20232000000001000000D02B0000B46428EA1F9531F0A9C750F82A506BF3C64A1126113EA90D1F271015A3DDD906B9B32A14EE9D946037C4A2954A9A7F3D7E6739A80429009604FF40E16B5B2DB54D29875122ACE579038B4F5408255A45F33575BB9003E69F1F7564CEC7F7B10BCBD2C532CD9FD30703252CB3500B738282008CD1DFCDCC5D9C26D704114E69B5291CCE62B5E4FF7217A5F979D5CF26F821D893464DE1F743BB99D65C6D19C36DD5ED517E8B63701E65B69C11826EDBBA84 ike 0:IPSEC_AMADEUS:702734: dec 354748B3240D3BDD86C7B0E3733F722D2E20232000000001000000902B0000042400001484C7B1E36008816A19C952DE3FD4393E2700000C01000000AB1190CF2900004802000000B72126FEE8DB6C380AE8EEF5B675E4491B1DFF7311EAA6B72C204CFBF5465C33E593E7C8D938DC807FE8208DCA9DF0AEC76762C52965E294FD7A1745A6F3C4720000000801000026 ike 0:IPSEC_AMADEUS:702734: initiator received AUTH msg ike 0:IPSEC_AMADEUS:702734: peer identifier IPV4_ADDR 10.10.10.2 ike 0:IPSEC_AMADEUS:702734: auth verify done ike 0:IPSEC_AMADEUS:702734: initiator AUTH continuation ike 0:IPSEC_AMADEUS:702734: authentication succeeded ike 0:IPSEC_AMADEUS:702734: received notify type TS_UNACCEPTABLE ike 0:IPSEC_AMADEUS:702734: processing child notify type TS_UNACCEPTABLE ike 0:IPSEC_AMADEUS:702734: malformed message ike 0:IPSEC_AMADEUS:702734: schedule delete of IKE SA 354748b3240d3bdd/86c7b0e3733f722d ike 0:IPSEC_AMADEUS:702734: scheduled delete of IKE SA 354748b3240d3bdd/86c7b0e3733f722d ike 0:IPSEC_AMADEUS: [style="background-color: #ff0000;"]connection expiring due to phase1 down WHAT IS MEAN[/style] ike 0:IPSEC_AMADEUS: deleting ike 0:IPSEC_AMADEUS: flushing ike 0:IPSEC_AMADEUS: flushed ike 0:IPSEC_AMADEUS: deleted ike 0:IPSEC_AMADEUS: schedule auto-negotiate
Thanks for helping...
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
as it seems the Quick Mode selectors in phase2 do not match. Please check this.
Let me clarify what Ede stated, your caught up on the message you highlighted in RED but the real message you need to look at was before that
ike 0:IPSEC_AMADEUS:702734: received notify type TS_UNACCEPTABLE ike 0:IPSEC_AMADEUS:702734: processing child notify type TS_UNACCEPTABLE
TS= traffic selector aka proxy-ids or quickmode selectors
You need to validate the SRC/DST subnets matches on both sides for this session and the proposals are the same.
[ul]
Ken
PCNSE
NSE
StrongSwan
hi there
I attched links with the my settings
Remote VPN settings: https://photos.app.goo.gl/8JdmLfuFVpvNvX072
My settings: https://photos.app.goo.gl/4pNNR8cI13GvD4iG2
thanks a lot for ur helping...
The images don't help. The Fortigate side shows Phase1. We need to see phase 2. The Amadeus side cuts off the subnets (on the left of the second one, I believe).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thanks Ken for giving the full context. Sometimes there's just not enough time at hand...
ok guys...
i have running config from ASA connected by VPN tunnel to the same gateway ass you will see below. I think the configurations for phase 1 and phase are same.
protocol esp encryption aes-256
protocol esp integrity sha-512
and PFS groups 21
: Saved
: : Serial Number: JAD21490A6V : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) !
! interface GigabitEthernet1/1 nameif outside_primary security-level 0 ip address 91.218.163.173 255.255.255.248 ! interface GigabitEthernet1/2 no nameif no security-level no ip address ! interface GigabitEthernet1/3 nameif inside security-level 100 ip address 57.1.255.237 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown nameif inside_test security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif mn_inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! boot system disk0:/asa982-lfbff-k8.SPA ftp mode passive clock timezone TJT 5 object network NAT_VLAN_123 subnet 57.1.255.0 255.255.255.248 object network 171.17.36.191 host 171.17.36.191 object network 171.17.37.191 host 171.17.37.191 object network 171.17.38.191 host 171.17.38.191 object network 171.17.38.2 host 171.17.38.2 object network 171.17.39.191 host 171.17.39.191 object network 171.17.39.2 host 171.17.39.2 object network 194.156.170.207 host 194.156.170.207 object network 194.156.170.208 host 194.156.170.208 object network 194.76.166.33 host 194.76.166.33 object network 194.76.166.34 host 194.76.166.34 object network 57.1.254.0 subnet 57.1.254.0 255.255.255.0 object network 172.16.16.0 subnet 172.16.16.0 255.255.255.0 object network outside_primary_backup host 91.218.163.172 object network inside_test_nat subnet 192.168.0.0 255.255.255.0 object network inside_nat subnet 57.1.255.232 255.255.255.248 object-group network AMDEUS_HOSTS network-object object 171.17.37.191 network-object object 171.17.39.191 network-object object 171.17.39.2 network-object object 194.156.170.208 network-object object 194.76.166.34 network-object object 171.17.36.191 network-object object 171.17.38.191 network-object object 171.17.38.2 network-object object 194.156.170.207 network-object object 194.76.166.33 object-group network AMDEUS_HOSTS_BACKUP network-object object 171.17.36.191 network-object object 171.17.38.191 network-object object 171.17.38.2 network-object object 194.156.170.207 network-object object 194.76.166.33 object-group network AMADEUS_HOSTS network-object object 171.17.36.191 network-object object 171.17.37.191 network-object object 171.17.38.191 network-object object 171.17.38.2 network-object object 171.17.39.191 network-object object 171.17.39.2 network-object object 194.156.170.207 network-object object 194.156.170.208 network-object object 194.76.166.33 network-object object 194.76.166.34 access-list outside_primary_cryptomap_1 extended permit ip object outside_primary_backup object-group AMADEUS_HOSTS access-list outside_primary_cryptomap_3 extended permit ip interface outside_primary object-group AMADEUS_HOSTS pager lines 24 logging enable logging timestamp logging trap notifications logging asdm informational logging host outside_primary 62.122.138.167 mtu outside_primary 1500 mtu inside 1500 mtu inside_test 1500 mtu mn_inside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-782.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network NAT_VLAN_123 nat (any,outside_primary) dynamic interface object network 57.1.254.0 nat (any,outside_primary) dynamic interface object network 172.16.16.0 nat (any,outside_primary) dynamic interface object network inside_test_nat nat (any,outside_primary) dynamic interface object network inside_nat nat (any,outside_primary) dynamic interface route outside_primary 0.0.0.0 0.0.0.0 91.218.163.169 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 192.168.10.0 255.255.255.0 mn_inside http 0.0.0.0 0.0.0.0 outside_primary no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES-256 protocol esp encryption aes-256 protocol esp integrity sha-512 crypto ipsec security-association pmtu-aging infinite crypto map outside_primary_map 1 match address outside_primary_cryptomap_3 crypto map outside_primary_map 1 set pfs group21 crypto map outside_primary_map 1 set peer 171.17.132.77 crypto map outside_primary_map 1 set ikev2 ipsec-proposal AES-256 crypto map outside_primary_map 2 match address outside_primary_cryptomap_1 crypto map outside_primary_map 2 set pfs group21 crypto map outside_primary_map 2 set peer 171.17.144.207 [style="background-color: #ff0000;"]crypto map outside_primary_map 2 set ikev2 ipsec-proposal AES-256[/style] crypto map outside_primary_map interface outside_primary crypto ca trustpool policy [style="background-color: #ff0000;"]crypto ikev2 policy 1[/style] [style="background-color: #ff0000;"] encryption aes-256[/style] [style="background-color: #ff0000;"] integrity sha512[/style] [style="background-color: #ff0000;"] group 21[/style] [style="background-color: #ff0000;"] prf sha512[/style] [style="background-color: #ff0000;"]lifetime seconds 28800[/style] crypto ikev2 enable outside_primary crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside_primary ssh 91.218.163.172 255.255.255.255 outside_primary ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0
dhcpd auto_config outside_primary ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 128.138.140.44 source outside_primary ntp server 216.239.35.0 source outside_primary prefer group-policy GroupPolicy_171.17.132.77 internal group-policy GroupPolicy_171.17.132.77 attributes vpn-tunnel-protocol ikev2 group-policy GroupPolicy_171.17.144.207 internal group-policy GroupPolicy_171.17.144.207 attributes vpn-tunnel-protocol l2tp-ipsec dynamic-access-policy-record DfltAccessPolicy tunnel-group 171.17.132.77 type ipsec-l2l tunnel-group 171.17.132.77 general-attributes default-group-policy GroupPolicy_171.17.132.77 tunnel-group 171.17.132.77 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group 171.17.144.207 type ipsec-l2l tunnel-group 171.17.144.207 general-attributes default-group-policy GroupPolicy_171.17.144.207 tunnel-group 171.17.144.207 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:bd127cdef052e224f2549d8c463b613b : end asdm image disk0:/asdm-782.bin no asdm history enable
Ok brilliant
here's a summary of what you need todo
config vpn phase2-interface edit PH2-171.17.36.191 set src 171.17.36.191/32 set dst 91.218.163.172/32
set phase1-name <whatever your PHASE1 name here > end
repeat again for ALL amadeus hosts
(you only need todo this once )
comfig route static edit 0 set dst 91.218.163.172/32 set dev <AMADEUS PHASE1 NAME HERE> end
Now you could reduce the number of phase2 src subnets if you would use the 171.17.36.0/24 scope but that would require changes on the ASA also.
try that 1st host and see if it work out and if your are 100% success roll out the other phase2s
;)
Ken
PCNSE
NSE
StrongSwan
hi there
we found the problem!!!
The problem was in LOCAL_ADRRESS. I chenged my local_address to my public IP. Thats all.
One more thing about routing i can't ping hosts
i went Policy-IPv4
Created a rule
From "IPSEC_AMADEUS" to Internal_network, sourse "Amamedus_IPs" destination "ALL", Services "ALL", Action "ACCEPT", NAT "Disable"
is it OK or i missed somethings?
As a rule: you need to have a static route on the FGT for each source IP (or subnet) that you ping from, in this case from the subnet which includes AMADEUS_HOSTS (I hope this is what you mean by "Amadeus_IPs"). Otherwise, the FGT will drop the traffic as "unknown" or "spoofing".
If such a route is missing the reply traffic is sent to the WAN interface instead of the VPN due to the default route. You can check/see that with "diag debug sniffer any 'icmp' 4 0 l" (last char is a lowercase "L" to give you a timestamp; enabel debug output first 'diag deb ena', stop with Ctrl-C).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.