Draytek Vigor and Fortigate - VPN Site to Site

Dear all Folks,
I stuck in config VPN site to site (lan to lan) between Vigor Draytek and Fortigate.
In Dratek Vogor:
Dial out
IPSec Tunnel
IKE phase 1 : Auto
IKE phase 2: DES_SHA1/DES_MD5
Main ID protection


In Fortigate
Phase 1:
Main ID Protection
3DES_MD5
DH Group 1,2
Keylife 28800
Phase 2:
DES_MD5
DH Group 1
Keylife 3600


Already setup Policy accept IPSEC

But I can not bring this tunnel up.
Please help if you already have experience on these devices
LVL 1
bmkhoiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xananduCommented:
it looks liek you have 2 different encryption protocols running, on the draytek you have DES_SHA1/DES_MD5, on the fortigate you have 3DES_MD5.

for VPNs to work, you MUST hvae the same encrytion at both ends. if you can do it, i would suggest running both as AES128 or higher. depending on the fortigate model, it may have hardware encryption on it, but i am not sure about the dreytek.

that is a setting that jumped out at me that you have different between the 2 but ANYthing, even so much as having your key refresh time off by 1 second can cause major VPN issues. ensure that you have the EXACT same settings at both ends of your VPN tunnel

if this doesnt work, you may need to include full configs for both of your routers into the post so I, or someone else, can look through the config.
0
shukalo83Commented:
Just do 3des/md5. It's bullet proof and standard.

xanadu is right.

Phase 1 3des/md5 on both devices. DiffieHellman group 2. (Don't pur Auto there, put what you want)
Phase 2 3des/md5 on both and do not choose any DiffieHelman picking or something that is called PFS (perfect forward secrecy).

Let us know how it went.
0
bmkhoiAuthor Commented:
Hi there,
I configured follow your instruction but now still can not connect.
Please check the attached file and let me know if there are something wrong.

Many thanks
phase1-FG.jpg
phase2-FG.jpg
Vigor1.jpg
Vigor2.jpg
Vigor3.jpg
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

shukalo83Commented:
On Fortigate on phase 2 I think you should have selected "QuickMode selector" and enter Local and remote subnets.

For fortigate Local is 192.168.0.0/24 Remote is 192.168.122.0/24. I've seen that you did tis on Vigor.

0
bmkhoiAuthor Commented:
Still can not bring it up
0
shukalo83Commented:
What distro are you on?
0
shukalo83Commented:
Sorry last question is not for this thread.
0
shukalo83Commented:
Sorry for all this trouble but you gonna have to send me screenshots again.
0
bmkhoiAuthor Commented:
Ok will ss and upload tmr, but I already changed just the one you concerned above, I tried with cisco router it easy to setup but dont know why got problem with draytek
0
bmkhoiAuthor Commented:
Here is the screen shot, I already changed to use the quick mode selector
Still couldn't bring the VPN up ... kindly check !
phase1-FG.jpg
phase2-FG-2.jpg
Vigor1.jpg
Vigor2.jpg
Vigor3.jpg
0
shukalo83Commented:
I see on phase 1 on fortigate des md5 and on vigor just "3des with authentication". For sure, des and 3des is not the same and that should be changed. Also, to eliminate any doubt, I would choose dh group to be 2 (on fortigate) and on vigor would go to advanced tab and used dh group 2, and des with md5. (Or adjust accordingly, in accordance with fg device.

Also, if you have dh group option to choose from I would put 2 wherever possible because it's most common. Also, if dh2 is not available, dh5 is next most used.

I'll try to find some other mistakes and get back to you.
0
bmkhoiAuthor Commented:
dear shukalo83 please see the third picture for the detail
0
bmkhoiAuthor Commented:
I got it, the problem is not above .. will screenshot and send to you guys later
0
bmkhoiAuthor Commented:
I changed to use G5 and add more policy to Fortigate, have to wait for 2 min to bring it up by automatically
0
bmkhoiAuthor Commented:
Here is the solution attached by word
Vigor---Fortigate-VPN-Site2Site.docx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bmkhoiAuthor Commented:
Complete and have guide
0
sony sonyCommented:
Dear bmkhoi,

May i know what's policy you add more in Fortigate.
Currently,i config VPN IPSEC Fortigate --- Draytek but can not Bring tunnel up.

Kindly help!
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.