AnsweredHot!Site to Site FortiGate to Cisco - Cannot connect due to public IP?

Author
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
2021/06/09 20:28:22 (permalink)
0

Site to Site FortiGate to Cisco - Cannot connect due to public IP?

Hi, guys, can you help me? I am having troubles with connecting to a remote vpn via IPsec. They are using public IP addresses for their terminals. (See image attached). I am done with static routes, ipv4 policies, ipsec tunnels. I've done it a couple of times but this is the first time that I am connecting our local PRIVATE IP ADDRESSES (10.10.0.0 and 10.10.70.0) to remote Public ip addresses (216.242.170.0/26)
Do I need to do something? Our phase 1 and phase 2 are the same even our preshared keys
These IPs are just examples.

Attached Image(s)

#1
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 02:27:42 (permalink) ☄ Helpfulby acellgipit@gmail.com 2021/06/10 07:30:43
0
What diagnostic did you do if any ?
 
> I would start by double checking phase1 and 2 is up, 
 
  diag vpn ike gateway list
  diag vpn tunnel list
 
> next I would verify your route table
 
  get router info routing all | grep  216.242.170.0
 
> if all of these are a positive, check our policy/objects are correct ( e.g no typos ) 
 
>  and then a "diag debug flow"
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#2
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 07:16:12 (permalink)
0
Hi, Emnoc,
Sorry for the late reply. Thank you for your advise. Im still new to Fortigate so bear with me. Here are the results:
 
diag vpn ike gateway list
vd: root/0
name: Imagine-IPsec
version: 1
interface: port2 10
addr: 27.110.219.186:500 -> 216.240.169.50:500
created: 4s ago
IKE SA: created 1/1
IPsec SA: created 1/1

id/spi: 1176320 dca29d3afb5e81d0/0000000000000000
direction: responder
status: connecting, state 3, started 4s ago
 
  diag vpn tunnel list
 
name=Imagine-IPsec ver=1 serial=4b2 27.110.219.186:0->216.240.169.50:0
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=10 ilast=23 olast=23 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Imagine-IPsec proto=0 sa=0 ref=2 serial=15 auto-negotiate
src: 0:10.10.0.0/255.255.248.0:0 0:10.70.0.0/255.255.248.0:0
dst: 0:216.240.172.0/255.255.255.192:0
 
get router info routing al
 
S 216.240.172.0/26 [1/0] via 203.177.24.241, port1
[1/0] via 27.110.219.185, port2

Also attached the real ip and stuff. I really need some help. hehe
 
Image link : https://ibb.co/XpTjDMw
#3
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 08:26:42 (permalink)
5 (1)
So this is going to need deep diagnostics
 
1> you are responding to the cisco (that good in some degree)
 
2> phase1 is NOT up 
 
3> vpn Imagine-IPsec needs to be analyze as to why not negotiating IKE
 
4> that route for the destination should be pointed to interface "Imagine-IPsec"
 
Can you dump your following cfgs
 
show vpn ipsec phase1-interface Imagine-IPsec
show vpn ipsec phase2-interface  
show router < route #>
show firewall policy <policy number>
 
Let's double check your cfg. Once you have confirm the cfg we need to run "diag debug application ike -1" to see what debug details are present.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#4
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 09:06:29 (permalink)
0
show vpn ipsec phase1-interface Imagine-IPsec
config vpn ipsec phase1-interface
edit "Imagine-IPsec"
set interface "port2"
set peertype any
set proposal aes256-sha1
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set dhgrp 5
set remote-gw 216.240.169.50
set psksecret ENC Gp+DtgAlu2qttsi9IBQDkJ/zIEzB2ewPl2XrBCINxPY/SU6Vzahu7C+Bju2V5S4nvJoln+iK5Oa0hS/W7Sb/LXRsB3EQ68+BwJB/7DRH2DZs3iUXTM/GXQNL0VCy6ftOZCk7eGZirUEZlD4O2e/yTKBo90bqbu/cNU1+uIcMH4vGvA6CUI7fF1R8Gzs9PvfkdA3H5w==
next
end
 
show vpn ipsec phase2-interface
edit "Imagine-IPsec"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local"
set dst-name "Imagine-IPRemote"
next

Show router static
set device "Imagine-IPsec"
set comment "VPN: Imagine-IPsec (Created by VPN wizard)"
set dstaddr "Imagine-IPRemote"
next
edit 16
set distance 254
set comment "VPN: Imagine-IPsec (Created by VPN wizard)"
set blackhole enable
set dstaddr "Imagine-IPRemote"

show firewall policy 53
set name "vpn_Imagine-IPsec_remote"
set uuid 7f379932-c96c-51eb-b230-b58778cee77e
set srcintf "Imagine-IPsec"
set dstintf "port5"
set srcaddr "Imagine-IPRemote"
set dstaddr "Imagine-IPsec_local"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"

show firewall policy 52
set name "vpn_Imagine-IPsec_local"
set uuid 7f1f2e2e-c96c-51eb-a09c-085314461e30
set srcintf "port5"
set dstintf "Imagine-IPsec"
set srcaddr "Imagine-IPsec_local"
set dstaddr "Imagine-IPRemote"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
 
 
Imagine-IPRemote is 216.240.172.0/26
 
Imagine-IPsec_local is an address group of 10.10.0.0/21 and 10.70.0.0/21
I also just used the static route from 216.240.172.0/26 to interface Imagine-IPsec
 
Thank you for walking me through.
#5
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 09:57:28 (permalink)
5 (1)
Okay your cfg looks not to bad observations
 
show vpn ipsec phase2-interface
edit "Imagine-IPsec"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local"
set dst-name "Imagine-IPRemote
 
I do not trust src-names in phase2-interfaces is the cisco side expecting two IPSEC-SA ?
 
and on phase1
 
Are we sure of the settings for the proposal? ikeversion, dhgrp, .....
 
Basically what was cfg on the remote-device?
 
Ken Felix
 
 
 

PCNSE 
NSE 
StrongSwan  
#6
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 10:11:54 (permalink)
0
Yup they are expecting two subnets from us. One from local which is 10.10.0.0/21 and one from work from home employees via sslvpn 10.70.0.0/21. Should I not group them? and create another Phase two for the 10.70?
 
Here's the image link for the proposals. 
 
https://ibb.co/m635jvJ
#7
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 14:30:31 (permalink) ☼ Best Answerby acellgipit@gmail.com 2021/06/10 16:20:00
5 (1)
Just build 2
 
e.
 
config vpn ipsec phase2-interface
edit "Imagine-IPsec-subnet1"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local-subnet1"
set dst-name "Imagine-IPRemote
next
edit "Imagine-IPsec-subnet1"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local-subnet2"
set dst-name "Imagine-IPRemote
end
 
Just name 2 objects for the subnet and use them in the src-name 
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#8
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 15:19:56 (permalink)
0
Hi, Emnoc,
 
Already got an up on 10.70.0.0/21 - Imagine-IPsec_local-subnet_2
 
Thank you, Still having troubles with 10.10.0.0/21
 
config vpn ipsec phase2-interface
edit "Imagine-IPsec"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local_subnet_1"
set dst-name "Imagine-IPRemote"
next
end

config vpn ipsec phase2-interface
edit "Imagine-IPsec2"
set phase1name "Imagine-IPsec"
set proposal aes256-sha1
set pfs disable
set auto-negotiate enable
set comments "VPN: Imagine-IPsec (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "Imagine-IPsec_local_subnet_2"
set dst-name "Imagine-IPRemote"
next
end
 
#9
acellgipit@gmail.com
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/09 20:17:33
  • Status: offline
Re: Site to Site FortiGate to Cisco - Cannot connect due to public IP? 2021/06/10 16:19:46 (permalink)
0
Hi, Emnoc,
 
Thank you for all your help. I just talked with the people from the cisco router and they are still checking with 10.10.0.0/21, they prioritized 10.70.0.0/21
 
Thank you!
 
#10
Jump to:
© 2021 APG vNext Commercial Version 5.5