• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3970
  • Last Modified:

VPN Tunnel Fortigate 60B to Cisco ASA 5505

Hi All,

I have a problem as per subject line.

I'm trying to configure a VPN tunnel between two offices. One side has Cisco ASA 5505 (London) other one is configured with Fortigate 60B (Hong Kong).

I followed few instructions and managed to get the tunnel up and running. I can ping any PC/Server in Hong Kong from London but not the other way arround. I've done trace route test and it looks like Fortigate is trying to send the data thourh public network rathere than encrypted traffic. The first hop that I can see it does goes to Public Gateway.

I followed this: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=13574 

and

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-ipsec-40-mr1pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=36589260&stateId=0%200%2036591086

to configure Fortigate. I have tried both policy as well as route based VPN confiugration. No luck both ways.

I have attached Fortigate configuration:

Phase1:
Phase 1

Phase2:
Phase 2
Firewall:
Firewall

and Cisco:

access-list outside_1_cryptomap extended permit ip 192.168.16.0 255.255.255.0 10.168.20.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 10.168.20.0 255.255.252.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Hong Kong IP
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group Hong Kong IP type ipsec-l2l
tunnel-group Hong Kong IP ipsec-attributes
 pre-shared-key *

Is my assumption right that it is the Fortigate that is missing some extra line of code somewhere?

Can anyone help please?
0
adispiric
Asked:
adispiric
  • 2
1 Solution
 
adispiricAuthor Commented:
To add to the above... Fortigate is a Dual WAN router and I have configured the VPN to use the WAN 1 interface. Whei I try to ping LAN in London the first hop is going through WAN 2. How this can be changed?
0
 
myramuCommented:
Hi,

Move the encrypt policy to top of all policies. I would suggest to use interface(Route) based VPN. So that you will have control on the routing.

Good Luck!
0
 
adispiricAuthor Commented:
I have changed VPN to route based last night and it's still the same. I can confirm that both firewall policies are on the top (VPN->Internal and Internal->VPN).

I have also put a static rule on Fortigate to route all traffic to 192.168.16.x through VPN interface.

IP access did not change though I still can only ping one way.

Any other ideas please?
0
 
Jakob DigranesSenior ConsultantCommented:
By VPN interface - do you mean WAN1 ?
is both WAN1 and WAN 2 connected to internet? to different connections?
Do the Fortigate connect directly to internet with a public IP?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now