Hi,
I have the following issue I am trying to solve: setup a static site2site VPN tunnel between a Fortigate 100E (local) and a Cisco ASA (remote). Configuration of phase1 and phase2 parameters is ok and checked, but the tunnel doesn't come up due to a local subnet issue.
Fortigate 100E, v5.6.6 with physical interfaces as follows:
Lan (Switch): P1-P13, P1 connected, subnet 192.168.0.x/22
P16: 172.16.10.0/24
VPN Tunnel comes up correct if my peer configures the local (100E) subnet to 192.168.0.x. But I would like to use the tunnel from port16 with 172.16.10.0 subnet. If my peer changes configuration to 172.16.10.0, phase 1 comes up but phase 2 never starts. So it is an issue with the correct interface/subnet configuration on my (local) side.
How do I configure the 100E to use port16 / subnet 172.16.10.0 as the local ip? Trying to set the tunnel interface address doesn't allow me to use a 172.16.10.0 IP address with "conflicts with port 16 subnet". So where do you specify, which interface/subnet a VPN tunnel should use as the local side?
thx,
Christian
add: already tried to set src-subnet and dst-subnet (dst-start-ip) in phase2 definition. Didn't change anything.
edit "vpn-JZ" set phase1name "vpn-JZ" set proposal aes256-sha1 aes128-sha1 set dhgrp 5 set dst-addr-type ip set keylifeseconds 28800 set src-subnet 172.16.10.0 255.255.255.0 set dst-start-ip 10.65.11.10 next
In the cisco ASA crypto map what did they define in the ACL? Your src/dst has to match the remote dst/src subnets
ken Felix
PCNSE
NSE
StrongSwan
src/dst on my side (Fortinet) matches dst/src on remote side (ASA). I have been talking to the remote side admin to debug the issue. As soon as he changed subnet on his side to match 192.168.0.0/22 (which is the default subnet on Fortigate side), phase2 comes up. src (ASA) / dst (Fortinet) was unchanged (single host 10.65.11.10), only the dst (ASA) / src (Fortinet) has been modified.
So the issue has to be somewhat related to Fortinet config - which is my side :(
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.