Helpful ReplyHot!Fortigate - Cisco router IKEv2 VPN - route-base

Page: 12 > Showing page 1 of 2
Author
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
2018/03/09 17:31:05 (permalink)
0

Fortigate - Cisco router IKEv2 VPN - route-base

Just FYI in case you might encounter this situation in the future and I didn't find any in the forum.
 
I've been testing IKEv2 IPSec VPN between FG1500D and Cisco 1941 but couldn't bring it up when 1941 was placed behind a NAT device (means Cisco is the initiator). In addition to NAT-T, the problem comes with Cisco's static-VTI/route-based IPSec (Tunnel0 interface). If I use crypto-map(policy-based) it comes up with FG's route/interface-based IPSec.
Today, I got both Cisco TAC and Fortinet TAC on a call w/ remote access to my PC then we concluded that Cisco sends out all Configuration Payload request options regardless they're relevant to the setup or not, and FG is trying to process them, like IP/DNS requests, although those are relevant only for "dial-up" vpn then drops the request because "mode-cfg" is not enabled (not needed for site-to-site static vpn). Based on the original RFC, the recipient is supposed to be returning an error reply if it's not relevant instead of drop the request.
 
In addition to crypto map solution above, another work around is to just enable mode-cfg on the FG side to reply to Cisco some info, which would be dropped by Cisco eventually because it's not expecting to receive any return values.
 
FTNT TAC said he would go back to RFCs and discuss the matter with developers. We tested only with 5.4.8 but I'm assuming 5.6.3 has the same behavior. I'll post update when he gets back to me.
#1
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/12 18:04:16 (permalink)
0
We, me and FTNT TAC guy, concluded enabling "mode-cfg" is the only option to terminate IKEv2 IPSec VPN from Cisco router w/ static-VTI(SVTI). This would allow FortiGate to reply with "0.0.0.0" to those IP requests and the negotiation would succeed since Cisco would ignore that part. With this set up, the traffic selector is always the default one 0/0<->0/0. Then you need to take care of routing by static routes or one of routing protocols.
 
I forwarded this case to our FTNT SE group. Also opened a new case at Cisco TAC to know why they do that at the first place. But it's beyond this forum's scope.
#2
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/12 19:25:34 (permalink)
0
Interesting since  IKEv2 has been  supported in  fortiOS for quite a few  years,  if not close to decade now.
 
Is this a problem in  v5.4.x only ? Since numerous IKEv2  vpn has  been built to cisco,linux,juniper, devices or others using IKEv2.
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#3
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/13 08:55:55 (permalink)
0
The TAC person tested 5.6 himself with his Cisco as well. I believe it's from the beginning on both Cisco and FortiGate sides for their own behaviors. I used 15.5.2 for Cisco IOS, which is relatively new. My guess is IKEv2 is not so popular in the field especially under mixed vendor environment. With my experiences, none of our customers and other service providers so far asked us to connect another vendor's routers/FWs to our FortiGate w/ IKEv2 specifically. Always IKEv1.
#4
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/13 10:49:52 (permalink)
0
I've used   IKEv2 in  various vendors platforms for many  years now. ( openswan,cisco ( ASA IOS IOS-XE  IOS_XR ),juniper,fortigate,forcepoint,pfsense,etc......)
 
So widely  supported I would say yes.
 
 
Widely used depends on business needs and  remote-capabilites of the peer ;) .
 
I saw in your  config your defining local and remote PSKs.
 
 
Here's a  IKEv2  and cisco/fgt  and juniper and cisco ASA
http://socpuppet.blogspot.com/2014/05/howto-asr-ios-xe-to-fortigate-ikev2.html
http://socpuppet.blogspot.com/2013/09/vpn-ikev2-juniper-to-fortigate-routevpn.html
http://socpuppet.blogspot.com/2012/10/cisco-asa-ikev2-setup.html
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/13 11:05:38 (permalink)
0
At your IOS-XE config, you're using crypto-map, which is policy-based IPSec. We verified if we configured cisco side with crypto-map, it doesn't send any IP address requests w/ CFG_REQUEST because I don't have any interface. The problem happens when we use Tunnel0 static-VTI config on Cisco side and route traffic toward the interface.
#6
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/13 13:08:03 (permalink)
0
Can you post your   IOS  cfg again ?
 
Ken

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/13 13:23:24 (permalink)
0
Below is Cisco 1941 config:
 
crypto ikev2 proposal ikev2prop-1
 encryption aes-cbc-256
 integrity sha256
 group 19
!
crypto ikev2 policy ikev2pol
 proposal ikev2prop-1
!
crypto ikev2 keyring ikev2keyring
 peer xxx-fg
  address PEER-GW-IP
  pre-shared-key toshi-test
 !
crypto ikev2 profile ikev2prof
 description xxx-fg at vdom xxxxxx
 match identity remote address PEER-GW-IP 255.255.255.255
 identity local address LOCAN-NAT-OUTSIDE-IP
 authentication local pre-share
 authentication remote pre-share
 keyring local ikev2keyring
 dpd 15 5 periodic
 nat keepalive 180
!
crypto ipsec transform-set trans esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile ipsecprof
 set transform-set trans
 set ikev2-profile ikev2prof
!
interface Tunnel0
 ip address TUNNEL-IF-IP 255.255.255.252
 tunnel source OUTGOIN-IF-IP
 tunnel mode ipsec ipv4
 tunnel destination PEER-GW-IP
 tunnel protection ipsec profile ipsecprof



#8
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/16 14:24:32 (permalink) ☄ Helpfulby daayala@findeter.gov.co 2018/08/30 14:34:53
5 (1)
I know it's beyond this Forum but at least one person was interested in this situation. So I want to update how my pursuit ended up on Cisco side.
 
Turned out that Cisco had thought this out much thoroughly and implemented various options how to negotiate IKEv2 with a peer. For my case, it just needed disabling Configuration Request by adding:
    no config-exchange reqest
at the end of IKEv2 profile: ikev2prof above. It's enabled by default for both FlexVPN (dialup endpoint) and even static VTI tunnel.
Now it works without "mode-cfg" enabled on the FG side.
 
#9
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/03/16 15:08:50 (permalink)
0
Good thanks for the update.
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#10
daayala@findeter.gov.co
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/30 14:33:57
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/08/30 14:41:27 (permalink)
0
Hi Toshi,
 
I´m getting the same problem setting a cisco asa 5515 with FG200D, in IKEv2 bring up the tunnel has been impossible , just in IKEv1 work fine for me but the cisco support Ikev2, could you share  please a cisco configuration or template, that work for you in IKEv2 an FG? Thank you.
#11
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2018/08/30 15:16:01 (permalink)
0
It's in my post before the last. You just need to add "no config-exchange request" to it. But I know ASA config is different. And I don't have much experience with. You might want to ask this at Cisco Community (they dropped "Support" from the community name and split it into multiple sub-communities).
#12
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/22 23:35:00 (permalink)
0
Toshi, very interesting your post on this subject; If it was not too much trouble, would it be possible for you to share the configuration of the FortiGate?
 
Thanks in advance
#13
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 08:47:08 (permalink)
0
After I posted the Cisco config last year, we discovered a problem. IPsec's DH group & pfs setting is indepedent from IKEv2's DH group. It was dropping the tunnel when lifetime expired then re-establish. So we addeded like below:
crypto ipsec profile ipsecprof
 set transform-set trans
 set pfs group19     <--- added
 set ikev2-profile ikev2prof
 
Fortigate side doesn't change much for IKEv2. You just need to declare it's IKEv2. Below is our example:
config vpn ipsec phase1-interface
edit "IKEv2test1"
set interface "wan1"
set ike-version 2
        set peertype any
set proposal aes256-sha256
set dpd on-idle
set dhgrp 19
set remote-gw <GW_IP>
set psksecret <ENCRIPTED_PASSWORD>
next
end
config vpn ipsec phase2-interface
edit "IKEv2test1-1"
set phase1name "IKEv2test1"
set proposal aes256-sha256
set keepalive enable
set dhgrp 19
next
end
#14
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 09:50:38 (permalink)
0
Hello Toshi, thank you for your fast response.
 
In my case, the configuration phases work very well; the problem is that even though the VTI tunnel is "up", it would seem to be "closed" and not allow the communication step
 
The topology that I have is:
Fortigate <> Internet <> ADSL ISP Router <> Cisco Router
 
The intention is to achieve the VPN connection through NAT-T and use OSPF
 
I see the VPN tunnel above by means of the configuration that you kindly shared, but it does not allow the passage, they do not pass OSPF, and neither through a static route.
 
Will any configuration command be missing from the VTI interface to allow full connectivity?
 
Annex the full configuration of Fortigate Side, and the Cisco configuration.
 
Thanks in advance for your advice and share your knowledge
post edited by ajimenez - 2019/06/24 10:01:29
#15
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 09:52:42 (permalink)
0
FortiGate Side:
 
config system interface
edit "VPN-Cisco"
set vdom "root"
set vrf 0
set distance 5
set dhcp-relay-service disable
set ip 172.16.0.25 255.255.255.255
set allowaccess ping
set arpforward enable
set broadcast-forward disable
set bfd global
set icmp-send-redirect enable
set icmp-accept-redirect enable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type tunnel
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set remote-ip 172.16.0.26 255.255.255.255
set description ''
set alias ''
set l2tp-client disable
set security-mode none
set captive-portal 0
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set role undefined
set snmp-index 7
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set wccp disable
set interface "port4"
next
end

config vpn ipsec phase1-interface
edit "VPN-Cisco"
set type dynamic
set interface "port4"
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 3600
set authmethod psk
unset authmethod-remote
set peertype any
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes256-sha256
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-idle
set forticlient-enforcement disable
set comments ''
set dhgrp 19
set suite-b disable
set eap disable
set ppk disable
set wizard-type custom
set reauth disable
set group-authentication disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set fragmentation-mtu 1200
set childless-ike disable
set rekey enable
set enforce-unique-id disable
set default-gw 0.0.0.0
set default-gw-priority 0
set net-device disable
set tunnel-search selectors
set psksecret ENC <PRE SHARED KEY>
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 60
next
end
 
config vpn ipsec phase2-interface
edit "VPN-Cisco-Ph2"
set phase1name "VPN-Cisco"
set proposal aes256-sha256
set pfs enable
set dhgrp 19
set replay disable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set dhcp-ipsec disable
set keylifeseconds 3600
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
 
config firewall policy
edit 0
set name ''
set srcintf "port1"
set dstintf "VPN-Cisco"
set srcaddr <LOCAL_LAN>
set dstaddr <REMOTE_LAN>
set internet-service disable
set internet-service-src disable
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set dscp-match disable
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set wanopt disable
set webcache disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set fsso disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set label ''
set global-label ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set profile-protocol-options "default"
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat disable
set match-vip disable
next
 
edit 0
set name ''
set srcintf "VPN-Cisco"
set dstintf "port1"
set srcaddr <REMOTE_LAN>
set dstaddr <LOCAL_LAN>
set internet-service disable
set internet-service-src disable
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set dscp-match disable
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set wanopt disable
set webcache disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set fsso disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set label ''
set global-label ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set profile-protocol-options "default"
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat disable
set match-vip disable
next
end

config router ospf
set abr-type standard
set auto-cost-ref-bandwidth 1000
set distance-external 110
set distance-inter-area 110
set distance-intra-area 110
set database-overflow disable
set database-overflow-max-lsas 10000
set database-overflow-time-to-recover 300
set default-information-originate disable
set default-information-metric 10
set default-information-metric-type 2
set default-information-route-map ''
set default-metric 10
set distance 110
set rfc1583-compatible disable
set router-id <W.X.Y.Z ROUTER ID>
set spf-timers 5 10
set bfd disable
set log-neighbour-changes enable
set distribute-list-in ''
set distribute-route-map-in ''
set restart-mode none
set restart-period 120
config area
edit 0.0.0.0
set shortcut disable
set authentication none
next
end
config ospf-interface
edit "OSPF-CISCO-NAT-T"
set interface "VPN-Cisco"
set ip 0.0.0.0
set authentication none
set prefix-length 0
set retransmit-interval 5
set transmit-delay 1
set cost 0
set priority 1
set dead-interval 40
set hello-interval 10
set hello-multiplier 0
set database-filter-out disable
set mtu 0
set mtu-ignore enable
set network-type point-to-point
set bfd global
set status enable
set resync-timeout 40
next
end
config network
edit 1
set prefix 172.16.0.24 255.255.255.252
set area 0.0.0.0
next
edit 2
set prefix <LAN_LOCAL> 255.255.255.0
set area 0.0.0.0
next
end
config redistribute "connected"
set status disable
set metric 0
set routemap ''
set metric-type 2
set tag 0
end
config redistribute "static"
set status disable
set metric 0
set routemap ''
set metric-type 2
set tag 0
end
config redistribute "rip"
set status disable
set metric 0
set routemap ''
set metric-type 2
set tag 0
end
config redistribute "bgp"
set status disable
set metric 0
set routemap ''
set metric-type 2
set tag 0
end
config redistribute "isis"
set status disable
set metric 0
set routemap ''
set metric-type 2
set tag 0
end
end
#16
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 09:54:31 (permalink)
0
CISCO SIDE
 
crypto ikev2 proposal ikev2prop-1
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy ikev2pol
proposal ikev2prop-1
!
crypto ikev2 keyring ikev2keyring
peer <CENTRAL-FG>
address <PUBLIC IP ADDRESS>
pre-shared-key <PRE SHARED KEY>
!
!
!
crypto ikev2 profile ikev2prof
match identity remote address <PUBLIC IP ADDRESS> 255.255.255.255
identity local address <CISCO IP ADDRESS AT LAN SIDE OF ISP ROUTER>
authentication remote pre-share
authentication local pre-share
keyring local ikev2keyring
lifetime 3600
dpd 15 5 periodic
nat keepalive 180
no config-exchange request
!
crypto ipsec transform-set trans esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile ipsecprof
set transform-set trans
set pfs group19
set ikev2-profile ikev2prof
!
interface Tunnel0
ip address 172.16.0.26 255.255.255.252
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source <WAN INTERFACE>
tunnel mode ipsec ipv4
tunnel destination <PUBLIC IP ADDRESS>
tunnel protection ipsec profile ipsecprof
!
router ospf 1
router-id <W.X.Y.Z IP REMOTE ROUTER ID>
network 172.16.0.24 0.0.0.3 area 0.0.0.0
network <REMOTE LAN> 0.0.0.255 area 0.0.0.0
!
#17
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 09:59:57 (permalink)
0
Some show commands:
 
Cisco#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.0.26/30
 
Cisco#ping
Protocol [ip]:
Target IP address: 172.16.0.25  ### Fortigate Side VTI Address ###
Repeat count [5]: 10
Datagram size [100]: 36
Timeout in seconds [2]: 1
Extended commands [n]: y
Source address or interface: Tunnel 0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 36-byte ICMP Echos to 172.16.0.25, timeout is 1 seconds:
Packet sent with a source address of 172.16.0.26
..........
Success rate is 0 percent (0/10)
#18
Toshi Esumi
Expert Member
  • Total Posts : 1747
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 16:08:48 (permalink)
0
What do you see in "sh cry ses" on the cisco?
#19
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/24 16:13:31 (permalink)
0
This is the output:
 
Cisco#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: <Fortigate Public IP> port 4500
IKEv2 SA: local <Cisco IP Address at LAN side of ISP router>/4500 remote <Fortigate Public IP>/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5