Helpful ReplyHot!Fortigate - Cisco router IKEv2 VPN - route-base

Page: < 12 Showing page 2 of 2
Author
Toshi Esumi
Expert Member
  • Total Posts : 1751
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 15:13:38 (permalink)
0
So Cisco side sees it up. How about FGT side in "get vpn ipsec tun sum"? It should show like below:
sea5601-fg1 # get vpn ipsec tun sum
'VPN_NAME' GW_IP:4500  selectors(total,up): 1/1  rx(pkt,err): 596097  /0  tx(pkt,err): 1089563/2


#21
Toshi Esumi
Expert Member
  • Total Posts : 1751
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 15:41:31 (permalink)
0
If FGT side also shows it up, only thing I can think of is trusthosts are configured and Cisco's tunnel interface IP is not included in the trusthosts.
Also I noticed your Cisco's IOS is quite old since it doesn't show source IP in the ping option. We only tested with relatively new IOS, like 15.4, 15.7. If it's very old like 12.4 or even older, I would imagine some behaviors with IKEv2/VTI might be different or it might require different config.
#22
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 20:56:09 (permalink)
0
Hi Toshi, 
 
This is the output of "get vpn ipsec tun sum":
 
CENTRAL-FG # get vpn ipsec tun sum
 
'VPNFortiGateNAT-T_0' W.X.Y.Z:4500 selectors(total,up): 1/1 rx(pkt,err): 175998/0 tx(pkt,err): 152436/0
'VPNCiscoNAT-T_0' W.X.Y.Z:64916 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 7/1
'VPNCiscoNoNAT-T_01' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 574039/0 tx(pkt,err): 479250/4
'VPNCiscoNoNAT-T_02' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 86941/0 tx(pkt,err): 99429/0
'VPNCiscoNoNAT-T_03' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 160555/0 tx(pkt,err): 171331/2
'VPNCiscoNoNAT-T_04' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 112830/0 tx(pkt,err): 108451/0
'VPNCiscoNoNAT-T_05' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 178400/0 tx(pkt,err): 132468/2
'VPNCiscoNoNAT-T_06' W.X.Y.Z:0 selectors(total,up): 1/1 rx(pkt,err): 429732/0 tx(pkt,err): 407938/2
 
In the first row you see a VPN between the central Fortigate and a remote Fortigate behind NAT, which works perfectly.
The second row is that of the Cisco behind NAT, the one about this post.
And the next six lines are VPNs to Central Fortigate  from remote Ciscos, but these are not behind NAT, they also work perfect.
Just as a comment, I made the same configuration in another Fortigate that makes the role of the "hub", without any VPN configuration, and it is the same behavior as in this case; this to be sure that the rest of the tunnels are causing the problem.
 
Something that catches my attention is the port in the case of the Cisco-NAT-T Tunnel, 64916, it should be 4500, right?
 
I also told you that I started the configuration with a FortiGate as the router of the remote Cisco, however to discard that Fortigate's security was preventing communication, I put a "less secure" router in front of the Cisco behind NAT, and the behavior is also the same.
 
=(
#23
ajimenez
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 23:29:31
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 21:13:16 (permalink)
0
About trusthost, there is nothing configuration neither in the Fortigate nor in the Cisco.
 
The Cisco has the following IOS:
Cisco # sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2 (4) M5, RELEASE SOFTWARE (fc2)
 
And the Fortigate has 6.0.5
 
This is an output of extended ping in the Cisco:
 
Cisco#ping
Protocol [ip]:
Target IP address: 172.16.0.25
Repeat count [5]: 10
Datagram size [100]: 36
Timeout in seconds [2]: 1
Extended commands [n]: y
Source address or interface: 172.16.0.26    ###Do you refer to this option? ###
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 36-byte ICMP Echos to 172.16.0.25, timeout is 1 seconds:
Packet sent with a source address of 172.16.0.26
..........
 
I think the IOs is not so old, let me upgrade to newer and try, I will post the results
 
Again, thanks a lot!
 
Best regards
 
#24
Toshi Esumi
Expert Member
  • Total Posts : 1751
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 21:26:15 (permalink)
0
Ah, it's 88x, which I couldn't make it work this IKEv2 tunnel with FGT. I tested 881, 891, 1941, and 4421(IOS XE). Only 881 never worked while the rest worked fine.
You probably need to open a Cisco TAC case like I did, or if that's not possible post your question at Cisco Community. Since we were trying to get rid of all 881s in the field, I declared "881 is not supported" for this Cisco-FGT IKEv2 setup inside our org.
#25
sagipael
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/25 22:21:11
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/06/25 23:39:00 (permalink)
0
Hi,
 
im trying to setup IPsec tunnel with ike v2 between Fortigate to Cisco ASA.
 
i set all the needed settings, static routes, policies etc..
the tunnel is up in both,
But traffic failed to back from FG to Cisco through the tunnel.
 
the error i got:
 
id=20085 trace_id=1265 func=print_pkt_detail line=5347 msg="vd-Global_Net received a packet(proto=1, 192.XXX.XXX.XXX:55068->10.200.YYY.YYY:2048) from MGNT. type=8, code=0, id=55068, seq=7."
id=20085 trace_id=1265 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-22e14d58, original direction"
id=20085 trace_id=1265 func=npu_handle_session44 line=1100 msg="Trying to offloading session from LAN_Interface to Tunnel_Interface, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x01000000"
id=20085 trace_id=1265 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-Tunnel_Interface"
id=20085 trace_id=1265 func=esp_output4 line=694 msg="no route to 85.Z.Z.Z, drop"
 
Any ides?
 
Thanks
Sagi
 
#26
p.kreouzis
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/21 07:22:24
  • Status: offline
Re: Fortigate - Cisco router IKEv2 VPN - route-base 2019/10/22 04:12:18 (permalink)
0
ajimenez
About trusthost, there is nothing configuration neither in the Fortigate nor in the Cisco.
 
The Cisco has the following IOS:
Cisco # sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2 (4) M5, RELEASE SOFTWARE (fc2)
 
And the Fortigate has 6.0.5
 
This is an output of extended ping in the Cisco:
 
Cisco#ping
Protocol [ip]:
Target IP address: 172.16.0.25
Repeat count [5]: 10
Datagram size [100]: 36
Timeout in seconds [2]: 1
Extended commands [n]: y
Source address or interface: 172.16.0.26    ###Do you refer to this option? ###
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 36-byte ICMP Echos to 172.16.0.25, timeout is 1 seconds:
Packet sent with a source address of 172.16.0.26
..........
 
I think the IOs is not so old, let me upgrade to newer and try, I will post the results
 
Again, thanks a lot!
 
Best regards
 




Hi All,
I had the exact same problem, trying to create a IKEv2 GRE Tunnel between cisco 886VA with 15.2 something IOS and Fortigate version 6.0.x
The Tunnel was UP but no traffic passing through, after many days and redbulls, I changed Integrity in Phase one or Proposal (call it whatever you like) from sha256 to sha1 and BAM everything worked!!!
 
try the following config in cisco
 
crypto ikev2 proposal AES-256
 encryption aes-cbc-256
 integrity sha1 <- this made the difference
 group 19 20 21


change Fortigate's side accorndingly
I am more than curious if it will work or not!
BR,
Panos
post edited by p.kreouzis - 2019/10/22 04:15:22
#27
Page: < 12 Showing page 2 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5