Fail with site-to-site with Fg to Sinicwall

Jalero · ‎10-27-2023

I have encountered a issue, i´ve setup a vpn site-to-site connection between a fortigate and a sonicwall, but i´m having trouble getting the service to work.
here is the scenario:

FortiGate Device Setting

Go to VPN > IPSec > Phase 1.
Gateway Name: ToSonicWall
Remote Gateway: SonicWall Static Public IP Address: 10.2.2.2

Local Interface: 192.168.1.254
Mode: IkeV2
Authentication Method: Preshared Key
Preshared Key: preshared key

Advanced:

Encryption: AES256
Authentication: SHA512
DH Group: 2
Keylife: 28800

Dead Peer Detection: Disabled

the other settings as default.

the Phase 2 settings

Remote Gateway: 10.2.2.2
Select Advanced:

Encryption: AES256
Authentication: SHA512
Enable replay detection : Unchecked
DH group: 5
Keylife: 28800
Autokey Keep Alive : Checked
Quick Mode Selector
Source address: 192.168.0.0
Destination address: 192.168.1.0

To add the addresses

Go to Firewall > Address.
Select Create New to create the FortiGate address.
Enter a name for the address, for example FortiGate_network.
Enter the FortiGate IP address and subnet. “ Internal LAN Subnet ” 192.168.0.0/24
Select Create New again to create the SonicWALL address.
Enter the name for the address, for example SonicWALL_network.
Enter the SonicWall IP address and subnet. “ Remote LAN Subnet ” 192.168.1.0/24

To create a firewall policy for the VPN traffic going from the SonicWALL device to the FortiGate unit

Go to Firewall > Policy.

Source Interface: Internal
Source IP address: 192.168.0.0
Destination Interface: WAN1 (or external)
Destination Address Name: 10.2.2.2
Schedule: always
Service: ANY
Action: Encrypt
VPN Tunnel: ToSonicWall
Select Allow inbound
Select Allow outbound

My Internet Service Provider (ISP) on side 1 has provided me with a public IP address, 10.1.1.1/32. I need to manage this address in my FortiGate. Additionally, the ISP has assigned me an IP in the DMZ, 192.168.10.254, which I've placed on my WAN interface in my FortiGate. All the necessary settings have been configured for this interface. On the SonicWall, I've created the VPN connection to the public address, 10.1.1.1/32, as my destination.

When I check the FortiGate, the IPsec section shows traffic both on the outside and inside, but when I review the SonicWall, the site-to-site VPN doesn't establish a connection. In the SonicWall logs, I see the following message:

MESSAGE SOURCE DESTINATION IP PROTOCOL
953 VPN Payload Processing Error Warning IKEv2 Payload processing error 10.1.1.1, 500 10.2.2.2, 500 udp
974 VPN Initiator: Received IKE_AUTH Response Inform IKEv2 Initiator: Received IKE_AUTH response 10.1.1.1, 500 10.2.2.2, 500 udp
959 VPN Unable to Find IKE SA Warning IKEv2 Unable to find IKE SA 10.1.1.1, 500 10.2.2.2, 500 udp
940 VPN Initiator: Send IKE_AUTH Request Inform IKEv2 Initiator: Send IKE_AUTH Request 10.2.2.2, 500 10.1.1.1, 500 udp
943 VPN Accept IKE SA Proposal Inform IKEv2 Accept IKE SA Proposal 10.1.1.1, 500 10.2.2.2, 500 udp
973 VPN Initiator: Received IKE_SA_INT Response Inform IKEv2 Initiator: Received IKE_SA_INT response 10.1.1.1, 500 10.2.2.2, 500 udp
938 VPN Initiator: Send IKE_SA_INIT Request Inform IKEv2 Initiator: Send IKE_SA_INIT Request 10.2.2.2, 500 10.1.1.1, 500 udp
1052 VPN VPN Policy Modified Inform VPN policy CENTRAL is modified.

i appreciate a helping hand.

abarushka · ‎10-31-2023

Hello,

The error is probably generated due phase1/2 mismatch. You may consider to collect ike debug on FortiGate side and check phase1/2 proposals.

FortiGate

xshkurti · ‎10-31-2023

@Jalero

In this scenario i see some issues.
1. Sonicwall has 192.168.1.0 in its routing table (directly connected)
2. Fortigate is behind nat, and is using 192.168.1.0 subnet as outside interface (DMZ)
3. You should enable NAT-T and also force NAT-T on fortigate so they use port 4500 and not 500.
4. You should reconsider changing internal lan for sonicwall from 192.168.1.0 to something else
5. Also since fortigate is behind nat, you may want to use local-id under phase1-interface
set localid-type address
set local-id 10.1.1.1

But as i stated, the main problem is on lan assignment where sonicwall will see packets from 192.168.1.0 subnet, and also send that subnet as phase2-traffic selector.

Fortigate on the other side, has 192.168.1.0 subnet directly configured on DMZ and also will se the same subnet coming from VPN tunnel interface. So design and settings are wrong in this case.

Please check this article on how to properly setup:
Techniocal Tip: List of articles about FortiGate I... - Fortinet Community

hbac · ‎11-01-2023

Hi @Jalero,

Can you run ike debugs on the FortiGate side by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...

# diagnose vpn ike log-filter dst-addr4 10.2.2.2
# diagnose debug console timestamp enable
# diagnose debug application ike -1
# diagnose debug enable

Regards,

bazme82 · ‎11-01-2023

I would only log utm where needed, double check ur logs to make sure that this is what happened and if it is, adjust your conserve mode threshold to be a little higher while u navigate ur options to prevent more disruption. Wouldn’t hurt to enable fail open as well on ips

10.0.0.0.1 192.168.1.254

mle2802 · ‎11-02-2023

Hi @Jalero,

Can you please run the following command and see if there is any mismatch on the config of P1/2:

diag debug reset
diagnose vpn ike log filter rem-addr4 X.X.X.X (remote peer IP)
diagnose debug application ike -1
diag debug enable

Regards,
Minh