This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec between ASL v7.405 & Fortinet Fortigate 60

Greetings, all...

I'm having a Dickens of a time getting this working. On the far side, I have a Fortigate 60, which I do not manage. I have provided the admin there with a PSK and my IP data. I have requested we set up for AES256 with PFS.

Upon enabling the tunnel in WebAdmin, I get the following in the log:

[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: | *received 356 bytes from ***.***.***.***:500 on eth0 [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: received Vendor ID payload [RFC 3947] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: received Vendor ID payload [Dead Peer Detection] [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: | preparse_isakmp_policy: peer requests PSK authentication [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: packet from ***.***.***.***:500: initial Main Mode message received on yyy.yyy.yyy.yyy:500 but no connection has been authorized with policy=PSK [/FONT]
[FONT=monospace]2009:08:17-16:16:49 secmgr-va pluto[3575]: | next event EVENT_DPD in 2 seconds for #52500 [/FONT]

I have no indication as to the level of knowledge the other admin has about either IPSec or about the Fortinet device, so I am taking him at his word when he says that he has entered all the data correctly (twice). Any suggestions for how to make this a bit easier (back off on the PFS? something other than IPSec?) would be greatly appreciated.

Thanks!

This thread was automatically locked due to age.

0 LewisRosenthal over 15 years ago in reply to anuff

Thanks so much for the config info! I'll look over what we've got, and will follow-up with our results.

A quick follow-up, if I may:

Astaro Settings:

Remote Gateway Settings:

  Gateway Type: Initiate Connection
  Gateway: WAN1 Address of FG 60B
  Authentication Type: Preshared Key
  Remote Networks: Entire network on Internal Interface of FG 60B

Policies Settings:

  Policy Name: Fortigate
  IKE encryption algorithm: 3DES
  IKE authentication algorithm: MD5
  IKE SA lifetime: 7800
  IKE DH group: Group5: MODP 1536

Connections Settings:

  Remote Gateway: As defined above
  Local Interface: External (WAN1)
  Policy: Fortigate
  Local Networks: Internal

You've given me the IKE configuration, but not the IPSec (phase 2) data. Looking at the Fortigate side, I'm guessing that it should be set in the Astaro as you have outlined there (3DES / MD5 / 7800 / Group 5). Correct?

Thanks again.

Cheers.
Cancel
Vote Up 0 Vote Down

Cancel
0 franciscofossa over 15 years ago

Fortinet and Astaro don't like each other... no help from Astaro, no help from Forti people...
I've never seen such a thing, ever...
I manage both fw, and have been all over this problem all weekend.
As a matter of fact I am pretty sure we will lose the client... will have to remove the Astaro. Too many hours, no easy fix.
Cancel
Vote Up 0 Vote Down

Cancel
0 robbes over 15 years ago in reply to franciscofossa

Phase2, Extended:

Use only the fields "Source Address" (forti network) and "Destination Address" (astaro network), ports und protocol shoueld stay with "0"!

3DES and MD5 working now.

One succesfull connection in Phase 1: Entry is locked, you can only delete before changes.

Forti is like my English...
Cancel
Vote Up 0 Vote Down

Cancel