Hot!Fortigate VPN with Stormshield VTI Virtual Tunneling Interface

Author
AhmedT
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/14 05:24:35
  • Status: offline
2020/09/14 06:28:09 (permalink)
0

Fortigate VPN with Stormshield VTI Virtual Tunneling Interface

Hello,
 
I'm trying to create a VTI VPN Tunnel between Stormshield and Fortigate.
 
My VPN is up but I can send other traffic than my trafic selectors.
 
I have attached a schema which explain the architecture and network traffic capture in forti's port1 and ipsec vpn tunnel.
 
I see echo request and echo reply in tunnel but the echo reply don't appear in outgoing ESP traffic
 
Thank you for your help !
 
AhmedT

Attached Image(s)

#1

5 Replies Related Threads

    AhmedT
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/09/14 05:24:35
    • Status: offline
    Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface 2020/09/14 06:32:45 (permalink)
    0
    VPN Capture

    Attached Image(s)

    #2
    AhmedT
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/09/14 05:24:35
    • Status: offline
    Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface 2020/09/14 06:33:20 (permalink)
    0
    Port 1
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2241
    • Scores: 215
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface 2020/09/14 11:12:46 (permalink)
    0
    If you run packet capture on a FGT specifying a tunnel interface, I think it captures packets before ESP encryption/after ESP decryption. If you want to capture ESP encrypted packets, you need to insert a switch with port mirroring and hook up a laptop to it to see packets between two FWs.
    Based on the diagram, I think the problem is the unwanted destinations are reachable without the tunnel. Since this seems to be a test/lab environment, just make sure the unwanted destinations' routes don't exist including the default route to the other side. Then set routes only for the desired destinations INTO the tunnel on both ends.
    #4
    AhmedT
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/09/14 05:24:35
    • Status: offline
    Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface 2020/09/15 00:43:03 (permalink)
    0
    Hi Toshi,
     
    Thank you for your help !
     
    I created static route, I have attached screenshot.
     
    AhmedT

    Attached Image(s)

    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 2241
    • Scores: 215
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface 2020/09/15 08:19:16 (permalink)
    0
    Then what did you mean by "I can send other traffic"? Nothing else other than the traffic destined to 10.83.1.0/24 shouldn't go out of the FGT.
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5