Hot!VPN IPsec Down (between fortinet and pfsense)

Author
aurelio.malheiros
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/28 09:41:40
  • Status: offline
2020/10/28 10:56:16 (permalink)
0

VPN IPsec Down (between fortinet and pfsense)

I'm trying to close VPN between a fortinet and a pfsense
However, in pfsense the following errors appear:

Pfsense:
IDir 'dmz' does not match to 'ip_public'
vici client 1343 disconnected

Fortinet
proposal id = 0:
ike 0:c92ff0a45a5633a6/0000000000000000:442363:   protocol id = ISAKMP:
ike 0:c92ff0a45a5633a6/0000000000000000:442363:      trans_id = KEY_IKE.
ike 0:c92ff0a45a5633a6/0000000000000000:442363:      encapsulation = IKE/none
ike 0:c92ff0a45a5633a6/0000000000000000:442363:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:c92ff0a45a5633a6/0000000000000000:442363:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:c92ff0a45a5633a6/0000000000000000:442363:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:c92ff0a45a5633a6/0000000000000000:442363:         type=OAKLEY_GROUP, val=MODP1024.
ike 0:c92ff0a45a5633a6/0000000000000000:442363: ISAKMP SA lifetime=28800
ike 0:c92ff0a45a5633a6/0000000000000000:442363: negotiation failure

I changed the dh and still has a problem.
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: VPN IPsec Down (between fortinet and pfsense) 2020/10/28 14:20:52 (permalink)
    0
    Como vc vai? 
     
    So in your pfsense did you match the settings exactly? Also depending on what version of pfense you have, you might need to allow for iskamp and esp. What I would do is to look to see if you are getting data from the pfsense instance
     
    e.g
     
       diag sniffer packet  wan1 "port 500 or 4500 and udp"
     
    Can you do that and report back if the pfsense instance is responding back to the fgt?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    aurelio.malheiros
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/28 09:41:40
    • Status: offline
    Re: VPN IPsec Down (between fortinet and pfsense) 2020/10/29 05:03:41 (permalink)
    0
    Good Morning
    The vpn looks like this on both sides:
     
    Fortinet
    Fase 1
    Enable DPD Delay 10
    Ikev1
    [image][/image]
    Seconds: 3600
     
     

    The
    hostname # diagnose sniffer packet any "host IP_PUBLIC_PFSENSE"
    interfaces=[any]
    filters=[host IP_PUBLIC_PFSENSE]
    1.228707 IP_PUBLIC_DMZ_FORTINET.4500 -> IP_PUBLIC_PFSENSE.4500: udp 104
    13.228702 IP_PUBLIC_DMZ_FORTINET.4500 -> IP_PUBLIC_PFSENSE.4500: udp 104
    22.968984 IP_PUBLIC_DMZ_FORTINET.500 -> IP_PUBLIC_PFSENSE.500: udp 304
    23.412013 IP_PUBLIC_PFSENSE.500 -> IP_PUBLIC_DMZ_FORTINET.500: udp 156
     
    I will try to do this procedure: allow for iskamp and esp
    #3
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: VPN IPsec Down (between fortinet and pfsense) 2020/10/29 08:28:33 (permalink)
    0
    Ola,  tem um problema ;)
     
    So it  looks like NAT-T is required have you confirmed NAT-T is enabled? It should be on forti0s by default but on pfsense you might have to enable the checkbox iirc for NAT-T.
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    aurelio.malheiros
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/28 09:41:40
    • Status: offline
    Re: VPN IPsec Down (between fortinet and pfsense) 2020/10/29 10:05:11 (permalink)
    0
    Hi
    Thanks a lot for the help
    You are referring to this here:

    post edited by aurelio.malheiros - 2020/10/29 10:07:57

    Attached Image(s)

    #5
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: VPN IPsec Down (between fortinet and pfsense) 2020/10/29 11:13:30 (permalink)
    0
    yes so can you set it from auto and reset the ipsec vpn. Re monitor the traffic  with the earlier  diag diag sniffer packet.
     
    Another command that you can and should execute after you get a response
     
    diag debug reset 
    diag debug enable
    diag debug application ike -1
     
    Dump the debug output that you received from the pfsense. Also I believe you need a rule in pfsense to allow the IKE IKSAMP, ESP so you might to look at drop packets on pfsense .
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5