Hot!Fortinet 1000D IPSEC With ASA 5512

Author
Lsousa
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/29 03:46:42
  • Status: offline
2018/10/29 03:58:29 (permalink)
0

Fortinet 1000D IPSEC With ASA 5512

I have a configuration done to a VPN ip sec between a cisco asa 10.0.100.110 anda a fortinet 10.0.100.114 in a network 10.0.100.109/29
 
the information i receive is:
 
Encryption Scheme IKE v1
Authentication Method Pre-shared key: A enviar out-of-band (telefone, SMS, IM)
Diffie-Hellman Group Group 2
Encryption Algorithm AES-256
Hashing Algorithm SHA-1
Main or Aggressive Mode Main Mode
IKE Lifetime (for renegotiation) 1440 minutes (86400 seconds)
NAT Traversal Enabled
Keepalive Interval: 10 seconds / Retry interval: 2 seconds
Encapsulation Mode tunnel
Encryption Algorithm ESP AES-256
Authentication Algorithm SHA-1
Perfect Forward Secrecy Group 2
IPSEC Lifetime (for renegotiation) 480 minutes (28800 seconds)
Lifesize in KB (for renegotiation) Unlimited
 
I already done that configutarion and a i can not reach a public ip linked to the private ip of them the services i need to reach by the public ip 197.500.86.15 is Tcp:80 and 4001
 
can someone say-me how can i by the fortigate permite this configuration is something missing in this information?
#1

13 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1215
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/29 08:50:36 (permalink)
    5 (1)
    I assume Phase2 selctors are 0/0<->0/0 on both sides and the tunnel is up. Then make sure you have a route into the tunnel for the public IP you need to reach to at the FGT. From there you need to sniff packets if they're going into the tunnel. If they do, the problem is on the ASA side.
    #2
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/29 09:51:08 (permalink)
    0
    how can i see if the route is ok, and how can i sniff the packets?
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1215
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/29 11:04:33 (permalink)
    5 (1)
    "get router info routing-t details 197.500.86.15" would show you the route it follows.
    "diag sniffer packet VPN_INTERFACE 'host 197.500.86.15'" would show you the packets. But you have to disable ASIC offloading at the policies to see them in sniffing ("set auto-asic-offload disable").
    #4
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 01:02:34 (permalink)
    0
    I already do the command and the information is  "Network not in table" there is something that i need to do to put the public ip on the network 
    #5
    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 01:20:30 (permalink)
    0
    Hello, 
     
    1) Can you ping public ip address of Cisco ASA? 
    2) Could you share configuration of IPSEC VPN, routing and IPv4 policies for IPSEC VPN in FG ? 
     
    Also get output of following commands:
     
    get  router  info routing-table all
    get route info routing-table database
    diagnose  vpn  ike  gateway  list 
    diagnose  vpn  tunnel  list 
     
    #6
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 03:37:15 (permalink)
    0
    yes i can ping the public ip 
     
    i would like to get first the best way to create the IPSEC VPN
     
    MY SCENARIO IS i have a tunnel network range with 3 ips eg: 10.1.100.152/29 with 10.1.100.153 my network, 10.1.100.158 the asa network.
     
    I want to get a service: http, https, 5400,5401 of the public ip of the 194.234.117.147.
     
    i create a ipsec tunnel and my remote gateway is  10.1.100.158 i do the phase 2 with a local address ip 10.1.100.153 and the remote ip 194.234.117.147. 
     
    then i create a policy to get in to the public ip with the port:80
     
    i have a static route with the gateway 10.1.100.158 and a destination is 194.234.117.147.
     
    i can not get the service http .
     
    so my question is whact is the correct way to do this job?
     
    i can not bring up the vpn.
    #7
    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 03:46:11 (permalink)
    0
    Lsousa, 
     
    Firstly i highly recommend you configure IPSEC VPN with all services allowed  in IPv4 policy. 
     
    Here are examples  - https://docs.fortinet.com/uploaded/files/1691/configuring-IPsec-VPN-with-a-FortiGate-and-a-Cisco-ASA.pdf
    https://cookbook.fortinet.com/ipsec-fortigate-cisco/
     
    #8
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 04:01:46 (permalink)
    0
    I already done This but i can not bring up the tunnel he still down
    #9
    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 04:20:55 (permalink)
    0
    Without configuration settings I can't advice you anything. 
     
     
    #10
    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 04:24:55 (permalink)
    0
    You can also try to run real time debug: 
     
    diagnose debug reset
    diagnose  debug  application  ike -1 
    diag debug enable
    #11
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 04:43:00 (permalink)
    0
    i try it, but it persist to show too many vpn i have 8. 
     
    you have a command that i can see only the debug of one vpn?
    #12
    zhunissov4
    Gold Member
    • Total Posts : 246
    • Scores: 20
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 04:50:36 (permalink)
    0
    diag vpn ike log filter  --- try to set destination ip address or phase-1-name etc... 

    diag debug app ike -1
    diag debug enable
    #13
    Lsousa
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/29 03:46:42
    • Status: offline
    Re: Fortinet 1000D IPSEC With ASA 5512 2018/10/30 05:21:28 (permalink)
    0
    once the vpn is created, whact the next steps to reach the services in the public ip?
    #14
    Jump to:
    © 2018 APG vNext Commercial Version 5.5