Solved

Fortigate IPSEC VPN with NAT to Cisco

Posted on 2010-08-24
5
7,543 Views
Last Modified: 2012-06-22
Hi there,

I am trying to configure my fortigate 60b to IPSEC to a remote VPN site but has failed badly. The remote VPN is managed by an external vendor and the log provided by them shows

--------Cisco Log--------
%ASA-5-713075: Group = 192.168.10.1, IP = 192.168.10.1, Overriding Initiator's IPSec rekeying duration from 90000 to 28800 seconds
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3204778E) between 165.21.21.21 and 192.168.10.1 (user= 192.168.10.1) has been created.
%ASA-5-713049: Group = 192.168.10.1, IP = 192.168.10.1, Security negotiation complete for LAN-to-LAN Group (192.168.10.1)  Responder, Inbound SPI = 0x282d31a3, Outbound SPI = 0x3204778e
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x282D31A3) between 165.21.21.21 and 192.168.10.1 (user= 192.168.10.1) has been created.
%ASA-5-713120: Group = 192.168.10.1, IP = 192.168.10.1, PHASE 2 COMPLETED (msgid=760d9eaf)
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x282D31A3, sequence number= 0x1) from 192.168.10.1 (user= 192.168.10.1) to 165.21.21.21.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as APP_SVR_A, its source as 10.65.57.235, and its protocol as 6.  The SA specifies its local proxy as 192.168.123.0/255.255.255.224/0/0 and its remote_proxy as 192.168.10.1/255.255.255.255/0/0.
----------------

The following is a brief desription

192.168.10.1 = Local WAN interface
165.21.21.21 = Remote VPN gateway
192.168.123.0 = Remote network behind VPN gateway
10.65.57.224/255.255.255.240 = Outgoing NAT IP
APP_SVR_A = Some remote server
10.65.57.235 = client NAT IP

Basically I need to configure the Fortigate to establish IPSEC to remote Cisco device. The ACL over at remote site specifies that only client from 10.65.57.224/255.255.255.240 can access the remote network. So NATing is required to NAT all outgoing traffic.

The following is the fortigate 60b config

---- start firewall config ----
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Local Network"
set dstaddr "Remote Network"
set action ipsec
set schedule "always"
set service "ANY"
set natip 10.65.57.224 255.255.255.240
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "VPN DR"
---- end firewall config ----

---- start phase1 ----
set interface "wan1"
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1
set keylife 172800
set remote-gw 165.21.21.21
set psksecret ENC <somekey>
set keepalive 900
---- end phase1 ----      

---- start phase2 ----
set dhgrp 2
set keepalive enable
set pfs enable
set phase1name "VPN DR"
set proposal 3des-sha1
set replay enable
set dst-subnet 192.168.123.0 255.255.255.224
set keylifeseconds 90000
---- end phas2 ----

As the remote equipments are controlled by external party, the cisco vpn gateway configs were not available. Except the log that was provided.

Can any expert please explain what is meant by the Cisco log? particularly the last line. And how should i configure my fortigate to work with the remote cisco device?
0
Comment
Question by:hayami
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 250 total points
ID: 33517262
Tell the ASA side to change the ACL from 192.168.10.1 255.255.255.255 to 10.65.57.224 255.255.255.240;

your config looks fine, the ASA Cisco log shows what is happening:

Phase 2 is completing, but there are no matching Proxy IDs
You are natting, so I am not sure what more they want, but really tell them to change the ACL to 10.65.57.224 255.255.255.240 from 192.168.10.1 255.255.255.255


Billy
0
 

Author Comment

by:hayami
ID: 33517327
unfortunately that is not going to happened because the vendor is incharged of the other side and they claimed that fortigate can be configured to meet their needs. unless based on the logs i can find that their ACL is wrong, else there is nothing i can do but to try to make it work.

i am particularly curious of this line

The SA specifies its local proxy as 192.168.123.0/255.255.255.224/0/0 and its remote_proxy as 192.168.10.1/255.255.255.255/0/0.

does it mean that the SA is expecting 192.168.10.1 to access instead of 10.65.57.224 255.255.255.240?
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 250 total points
ID: 33517381
>does it mean that the SA is expecting 192.168.10.1 to access instead of 10.65.57.224 255.255.255.240?
Yes

their side is wrong, you can not NAT to the outside interface if it is the end point IP. They probably do not want you to use rfc1918 space, so if you have any available public space, you can use that instead.

Billy
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34434134
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question