Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
acellgipit
New Contributor

Site to Site FortiGate to Cisco - Cannot connect due to public IP?

Hi, guys, can you help me? I am having troubles with connecting to a remote vpn via IPsec. They are using public IP addresses for their terminals. (See image attached). I am done with static routes, ipv4 policies, ipsec tunnels. I've done it a couple of times but this is the first time that I am connecting our local PRIVATE IP ADDRESSES (10.10.0.0 and 10.10.70.0) to remote Public ip addresses (216.242.170.0/26) Do I need to do something? Our phase 1 and phase 2 are the same even our preshared keys These IPs are just examples.

2 Solutions
emnoc
Esteemed Contributor III

What diagnostic did you do if any ?

 

> I would start by double checking phase1 and 2 is up, 

 

  diag vpn ike gateway list

  diag vpn tunnel list

 

> next I would verify your route table

 

  get router info routing all | grep  216.242.170.0

 

> if all of these are a positive, check our policy/objects are correct ( e.g no typos ) 

 

>  and then a "diag debug flow"

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

Just build 2

 

e.

 

config vpn ipsec phase2-interface edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet1" set dst-name "Imagine-IPRemote

next

edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet2" set dst-name "Imagine-IPRemote

end

 

Just name 2 objects for the subnet and use them in the src-name 

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
9 REPLIES 9
emnoc
Esteemed Contributor III

What diagnostic did you do if any ?

 

> I would start by double checking phase1 and 2 is up, 

 

  diag vpn ike gateway list

  diag vpn tunnel list

 

> next I would verify your route table

 

  get router info routing all | grep  216.242.170.0

 

> if all of these are a positive, check our policy/objects are correct ( e.g no typos ) 

 

>  and then a "diag debug flow"

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
acellgipit

Hi, Emnoc,

Sorry for the late reply. Thank you for your advise. Im still new to Fortigate so bear with me. Here are the results:

 

diag vpn ike gateway list

vd: root/0 name: Imagine-IPsec version: 1 interface: port2 10 addr: 27.110.219.186:500 -> 216.240.169.50:500 created: 4s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 1176320 dca29d3afb5e81d0/0000000000000000 direction: responder status: connecting, state 3, started 4s ago

 

  diag vpn tunnel list

 

name=Imagine-IPsec ver=1 serial=4b2 27.110.219.186:0->216.240.169.50:0 bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=10 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=Imagine-IPsec proto=0 sa=0 ref=2 serial=15 auto-negotiate src: 0:10.10.0.0/255.255.248.0:0 0:10.70.0.0/255.255.248.0:0 dst: 0:216.240.172.0/255.255.255.192:0

 

get router info routing al

 

S 216.240.172.0/26 [1/0] via 203.177.24.241, port1 [1/0] via 27.110.219.185, port2

Also attached the real ip and stuff. I really need some help. hehe

 

Image link : [link]https://ibb.co/XpTjDMw[/link]

emnoc
Esteemed Contributor III

So this is going to need deep diagnostics

 

1> you are responding to the cisco (that good in some degree)

 

2> phase1 is NOT up 

 

3> vpn Imagine-IPsec needs to be analyze as to why not negotiating IKE

 

4> that route for the destination should be pointed to interface "Imagine-IPsec"

 

Can you dump your following cfgs

 

show vpn ipsec phase1-interface Imagine-IPsec

show vpn ipsec phase2-interface  

show router < route #>

show firewall policy <policy number>

 

Let's double check your cfg. Once you have confirm the cfg we need to run "diag debug application ike -1" to see what debug details are present.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
acellgipit

show vpn ipsec phase1-interface Imagine-IPsec config vpn ipsec phase1-interface edit "Imagine-IPsec" set interface "port2" set peertype any set proposal aes256-sha1 set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set dhgrp 5 set remote-gw 216.240.169.50 set psksecret ENC Gp+DtgAlu2qttsi9IBQDkJ/zIEzB2ewPl2XrBCINxPY/SU6Vzahu7C+Bju2V5S4nvJoln+iK5Oa0hS/W7Sb/LXRsB3EQ68+BwJB/7DRH2DZs3iUXTM/GXQNL0VCy6ftOZCk7eGZirUEZlD4O2e/yTKBo90bqbu/cNU1+uIcMH4vGvA6CUI7fF1R8Gzs9PvfkdA3H5w== next end

 

show vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local" set dst-name "Imagine-IPRemote" next

Show router static

set device "Imagine-IPsec" set comment "VPN: Imagine-IPsec (Created by VPN wizard)" set dstaddr "Imagine-IPRemote" next edit 16 set distance 254 set comment "VPN: Imagine-IPsec (Created by VPN wizard)" set blackhole enable set dstaddr "Imagine-IPRemote"

show firewall policy 53

set name "vpn_Imagine-IPsec_remote" set uuid 7f379932-c96c-51eb-b230-b58778cee77e set srcintf "Imagine-IPsec" set dstintf "port5" set srcaddr "Imagine-IPRemote" set dstaddr "Imagine-IPsec_local" set action accept set schedule "always" set service "ALL" set fsso disable set comments "VPN: Imagine-IPsec (Created by VPN wizard)"

show firewall policy 52

set name "vpn_Imagine-IPsec_local" set uuid 7f1f2e2e-c96c-51eb-a09c-085314461e30 set srcintf "port5" set dstintf "Imagine-IPsec" set srcaddr "Imagine-IPsec_local" set dstaddr "Imagine-IPRemote" set action accept set schedule "always" set service "ALL" set fsso disable set comments "VPN: Imagine-IPsec (Created by VPN wizard)"

 

 

Imagine-IPRemote is 216.240.172.0/26

 

Imagine-IPsec_local is an address group of 10.10.0.0/21 and 10.70.0.0/21

I also just used the static route from 216.240.172.0/26 to interface Imagine-IPsec

 

Thank you for walking me through.

emnoc
Esteemed Contributor III

Okay your cfg looks not to bad observations

 

show vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local" set dst-name "Imagine-IPRemote

 

I do not trust src-names in phase2-interfaces is the cisco side expecting two IPSEC-SA ?

 

and on phase1

 

Are we sure of the settings for the proposal? ikeversion, dhgrp, .....

 

Basically what was cfg on the remote-device?

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
acellgipit

Yup they are expecting two subnets from us. One from local which is 10.10.0.0/21 and one from work from home employees via sslvpn 10.70.0.0/21. Should I not group them? and create another Phase two for the 10.70?

 

Here's the image link for the proposals. 

 

[link]https://ibb.co/m635jvJ[/link]

emnoc
Esteemed Contributor III

Just build 2

 

e.

 

config vpn ipsec phase2-interface edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet1" set dst-name "Imagine-IPRemote

next

edit "Imagine-IPsec-subnet1" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local-subnet2" set dst-name "Imagine-IPRemote

end

 

Just name 2 objects for the subnet and use them in the src-name 

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
acellgipit

Hi, Emnoc,

 

Already got an up on 10.70.0.0/21 - Imagine-IPsec_local-subnet_2

 

Thank you, Still having troubles with 10.10.0.0/21

 

config vpn ipsec phase2-interface edit "Imagine-IPsec" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local_subnet_1" set dst-name "Imagine-IPRemote" next end config vpn ipsec phase2-interface edit "Imagine-IPsec2" set phase1name "Imagine-IPsec" set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "VPN: Imagine-IPsec (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set keylifeseconds 28800 set src-name "Imagine-IPsec_local_subnet_2" set dst-name "Imagine-IPRemote" next end

 

acellgipit

Hi, Emnoc,

 

Thank you for all your help. I just talked with the people from the cisco router and they are still checking with 10.10.0.0/21, they prioritized 10.70.0.0/21

 

Thank you!

 

Labels
Top Kudoed Authors