IPsec/SSL VPN

Expand all | Collapse all

VPN between 2 Fortigates not establishing

  • 1.  VPN between 2 Fortigates not establishing

    Posted May 12, 2020 08:21 AM
    Hi everyone!
    A simple IPSec site-to-site VPN which I was betting should be up after 5 minutes of configuration, is giving me headaches for 1 week now.

    On one side 500E v6.0.9
    On the other side 110C v5.2.9

    500E config
    500E # show vpn ipsec phase1-interface S2S
    config vpn ipsec phase1-interface
    edit "S2S"
    set interface "port4"
    set keylife 28800
    set peertype any
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
    set remote-gw x.x.x.x
    set psksecret ENC tAl7DoFRHysjGiH+Mb6ijjllKtjH42TkHJk80CnLDHVTqTw48xYMGbjTODRkr9lzWJJo6CXd3QupSglXQSA+5Gc4n/rvTu6AYeL81EH1yL2y/EtGNFvay4kGVs2yUnvsVY7mhWoIbqdLP0K0sp1Wkf3hxryCzarHM26GUZosZbt/ktewEOPPDprszWAqZePkUmPyXg==
    next
    end

    500E # show vpn ipsec phase2-interface S2S
    config vpn ipsec phase2-interface
    edit "S2S"
    set phase1name "S2S"
    set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
    set src-addr-type name
    set dst-addr-type name
    set keylifeseconds 3600
    set src-name "N-a.a.a.a"
    set dst-name "N-b.b.b.b"
    next
    end


    110C config
    110C # show vpn ipsec phase1-interface S2S
    config vpn ipsec phase1-interface
    edit "S2S"
    set interface "wan2"
    set keylife 28800
    set remote-gw y.y.y.y
    set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
    next
    end

    110C # show vpn ipsec phase2-interface S2S
    config vpn ipsec phase2-interface
    edit "S2S"
    set phase1name "S2S"
    set src-addr-type name
    set dst-addr-type name
    set keylifeseconds 3600
    set src-name "N-b.b.b.b"
    set dst-name "N-a.a.a.a"
    next
    end

    The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

    When I try to bring up the tunnel, I get the "progress IPsec phase 2 failure" message and I don't know what else to do...
    And even though I assume the Phase 1 is UP, I don't see the tunnel UP nor the messages for Phase 1 in the log.

    All help, welcome. Thanks!

    VPN LOG


  • 2.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 08:47 AM
    Hi I saw that you didn´t put the criptography proposal on phase1 and phase2 of 110C IPSec config.


  • 3.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 08:51 AM
    Hi Fernando,
    I put this below the config:

    The 110C does not show the proposals in the CLI I don't know why, but I have not only compared them in the GUI, but typed on the CLI exactly as the one in the 500E, and still not showing.

    If you or anyone has an idea why that can happen... Welcome


  • 4.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 08:57 AM
    Try this in both fortigates. With this you will see all config of IPSec vpns and you will can verify all parameters.

    # conf vpn ipsec phase1-interface
    # edit S2S
    # show full-configuration
    # end
    # conf vpn ipsec phase2-interface
    # edit S2S
    # show full-configuration

    ​​​​​​


  • 5.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 09:13 AM
    Excellent, now I have this:

    500E
    500E (S2S) # show full-configuration
    config vpn ipsec phase1-interface
    edit "S2S"
    set type static
    set interface "port4"
    set ip-version 4
    set ike-version 1
    set local-gw 0.0.0.0
    set keylife 28800
    set authmethod psk
    set mode main
    set peertype any
    set passive-mode disable
    set exchange-interface-ip disable
    set mode-cfg disable
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
    set localid ''
    set localid-type auto
    set auto-negotiate enable
    set negotiate-timeout 30
    set fragmentation enable
    set dpd on-demand
    set forticlient-enforcement disable
    set npu-offload enable
    set dhgrp 14 5
    set suite-b disable
    set wizard-type custom
    set xauthtype disable
    set mesh-selector-type disable
    set idle-timeout disable
    set ha-sync-esp-seqno enable
    set auto-discovery-sender disable
    set auto-discovery-receiver disable
    set auto-discovery-forwarder disable
    set encapsulation none
    set nattraversal enable
    set rekey enable
    set remote-gw x.x.x.x
    set monitor ''
    set add-gw-route disable
    set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
    set keepalive 10
    set dpd-retrycount 3
    set dpd-retryinterval 20
    next
    end


    500E (S2S) # show full-configuration
    config vpn ipsec phase2-interface
    edit "S2S"
    set phase1name "S2S"
    set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
    set pfs enable
    set dhgrp 14 5
    set replay enable
    set keepalive disable
    set auto-negotiate disable
    set auto-discovery-sender phase1
    set auto-discovery-forwarder phase1
    set keylife-type seconds
    set encapsulation tunnel-mode
    set protocol 0
    set src-addr-type name
    set src-port 0
    set dst-addr-type name
    set dst-port 0
    set keylifeseconds 3600
    set src-name "N-a.a.a.a"
    set dst-name "N-b.b.b.b"
    next
    end

    110C
    110C (S2S) # show full-configuration
    config vpn ipsec phase1-interface
    edit "S2S"
    set type static
    set interface "wan2"
    set ip-version 4
    set ike-version 1
    set local-gw 0.0.0.0
    set nattraversal enable
    set keylife 28800
    set authmethod psk
    set mode main
    set peertype any
    set mode-cfg disable
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
    set localid ''
    set localid-type auto
    set negotiate-timeout 30
    set fragmentation enable
    set dpd enable
    set forticlient-enforcement disable
    set npu-offload enable
    set dhgrp 14 5
    set wizard-type custom
    set xauthtype disable
    set mesh-selector-type disable
    set remote-gw y.y.y.y
    set monitor ''
    set add-gw-route disable
    set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
    set keepalive 10
    set auto-negotiate enable
    set dpd-retrycount 3
    set dpd-retryinterval 5
    next
    end


    110C (S2S) # show full-configuration
    config vpn ipsec phase2-interface
    edit "S2S"
    set phase1name "S2S"
    set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
    set pfs enable
    set dhgrp 14 5
    set replay enable
    set keepalive disable
    set auto-negotiate disable
    set keylife-type seconds
    set encapsulation tunnel-mode
    set protocol 0
    set src-addr-type name
    set src-port 0
    set dst-addr-type name
    set dst-port 0
    set keylifeseconds 3600
    set src-name "N-b.b.b.b"
    set dst-name "N-a.a.a.a"
    next
    end



  • 6.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 09:27 AM
    Considering that:
    - psk secret is the same in both fortigates;
    - the interfaces that you are establishing the ipsec vpn it´s correct;
    - the src-addr and dst-address was correct (remember that you need to invert in one of fortigates);

    Now you need to enable a syslog and send the information to syslog to see whats wrong.
    You can use this commando to verify 
    diagnose vpn tunnel list name <Phase 1 name>

    - diagnose debug application ike -1
    - diagnose debug enable

    to disable
    - diagnose debug enable
    - - -
    Fernando Patzlaff
    patzlaff@...





  • 7.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 10:08 AM
    OK so new information: I need my packets to go out doing a NAT so in the rule, I have NAT active and selected an IP Pool.
    Checking a sniffer packet, the NAT is not happening, so the packet goes with its real IP, therefore the Phase2 on the other side is "incorrect".

    Now what I don't know is WHY the NAT is not being applied
    config firewall policy
    edit 79
    set srcintf "any"
    set dstintf "S2S"
    set srcaddr "a.a.a.a"
    set dstaddr "b.b.b.b"
    set rtp-nat disable
    set action accept
    set status enable
    set schedule "always"
    set schedule-timeout disable
    set service "ALL"
    set utm-status disable
    set logtraffic all
    set logtraffic-start disable
    set session-ttl 0
    set vlan-cos-fwd 255
    set vlan-cos-rev 255
    set wccp disable
    set disclaimer disable
    set natip 0.0.0.0 0.0.0.0
    set match-vip disable
    set diffserv-forward disable
    set diffserv-reverse disable
    set tcp-mss-sender 0
    set tcp-mss-receiver 0
    set label ''
    set global-label ''
    set block-notification disable
    set replacemsg-override-group ''
    set srcaddr-negate disable
    set dstaddr-negate disable
    set service-negate disable
    set timeout-send-rst disable
    set captive-portal-exempt disable
    set delay-tcp-npu-session disable
    set traffic-shaper ''
    set traffic-shaper-reverse ''
    set per-ip-shaper ''
    set nat enable
    set permit-any-host disable
    set permit-stun-host disable
    set fixedport disable
    set ippool enable
    set poolname "POOL_10.200.15.0-24"
    next
    end
    config firewall ippool
    edit "POOL_10.200.15.0-24"
    set type overload
    set startip 10.200.15.1
    set endip 10.200.15.254
    set arp-reply disable
    set comments ''
    next
    end


    Thank you!


  • 8.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 11:56 AM
    Do you have IPv4 policies and static routes for the traffic of interest?


  • 9.  RE: VPN between 2 Fortigates not establishing

    Posted May 12, 2020 09:22 PM

    Yes, I do. In fact the tunnel works, but it is not applying the NAT I need in order to get to the other side as 10.200.15.x (please check my previous post). 


    That was my Phase2 issue. Instead of getting to the other side with the natted addresses, they are going with the real ones. 


    Why do I need to NAT? It was an acquisition, and the former IT brains were using public IP addresses for the entire LAN. Until we can change that, we need the VPN up with a private segment