dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
15835
mikkopel
join:2002-10-25
Haverstraw, NY

mikkopel

Member

VPN between two Fortigates

I have two Fortigates, 100A and WiFi50B. I'm trying to create a VPN tunnel between them. But my success is limited.

Right now, I have both of the WAN ports plugged in the same switch, the WAN IP addresses are in the same netblock. And indeed, I can ping both of the devices. So far so good.

I can also create a working VPN tunnel, if I select Static IP address in the settings. So that works, but that's not what I need. The WiFi50B is going to be behind a consumer cable modem. So I can't use a static IP address. I need to configure dialup user.

So, I use the same settings, except on the server end in the Phase 1 settings I change the Remote Gateway to Dialup User. In the client end, nothing changes since the other end still has a static IP. Also, in the firewall rules, at the client end, I select "Allow outbound", and nothing else. In the server end I select "Allow inbound" and nothing else.

But the link doesn't work.

Any ideas? So far Fortinet's own support has been less than helpful, which is unfortunate since I kind of like the devices otherwise. Actually, I had to point out to the support the exact page on the VPN guide that had the very configuration I was trying to set up, yet the person thought the setup was impossible.
fox77
join:2001-02-12
Culver City, CA

fox77

Member

When this is failing, are you still in just plugged into the 'same switch' with both devices, or have you deployed?? If you are behind that 'consumer modem' make sure it is only acting as a modem and not a router also, i.e. NAT.

There should be logging in the devices. Can you get any clues from there. There should be error messages in the log.

fox7
mikkopel
join:2002-10-25
Haverstraw, NY

mikkopel

Member

No, I haven't deployed the device yet, since I never got the dialup VPN working. They're still plugged in exactly the same way.

The logging isn't terribly helpful either.

Here's the legend for the log messages:

First on the client side I see this:
2010-08-19 07:43:55 notice ipsec 37129 root progressIPSec phase2 negotiate 500 wan1 500 845648dd985a4c3c/2feb642f331972d3 N/A N/A N/A N/A success remote-dialup 1 outbound local quick initiator ok

But then on the server side:

2010-08-19 07:44:25 error ipsec 37130 root progressIPsec Phase2negotiate 500 wan1 500 845648dd985a4c3c/2feb642f331972d3 N/A N/A N/A N/A failure remote-dialup_0 1 inbound remote quick responder error

So as far as I can tell, the phase 1 completes OK, that's what the first message is, but then phase 2 fails...

And it's not like phase 2 has that many settings. I have the same settings on both end:

1- Encryption AES256 Authentication MD5
2- Encryption 3DES Authentication SHA1
X Enable Replay detection
X Enable perfect forward secrecy (PFS)
DH Group 5
Keylife 1800 Seconds 5120 KBytes
X Autokey Keep Alive

Quick Mode Selector
Source Address 0.0.0.0/0
Source Port 0
Destination Address 0.0.0.0/0
Destination port 0
Protocol 0

The only thing that catches my eye is that in the client side the VPN name is "remote-dialup" but on the server side "remote-dialup_0". The name that I gave on both of the device's Phase 1 settings is "remote-dialup". I don't know if this means anything, though.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to mikkopel

Premium Member

to mikkopel
What does fortigate support say?
fox77
join:2001-02-12
Culver City, CA

2 edits

fox77 to mikkopel

Member

to mikkopel
mikkopel:
Everything is so sensitive on doing a VPN IPSEC with regard to settings and if it not EXACTLY seeing what it expects to see, it won't work. I would try and match the names just for a test and see if that is the hiccup.

What jumps out a me is the source and destination address the same in Quick Mode. I would use 0.0.0.0/0 for the address of the dial-up part, but use the real WAN address for the static part. You can 'not' make a VPN between two dynamic IPs, as a general rule, and with most devices using the 0.0.0.0 means it is a dynamic IP. This is if I am understanding the purpose of those settings in Quick Mode.

Thanks for the info!!!!!

fox7

Edit:
I re-read your input... Having the same settings on both ends is very cool for Phase 2, but give my sugestion a shot, and also turn off the 'perfect forward security' on the setup where you are using the 'dial up' senerio.

fox7

Edit:
Yea, it's me again. When you are using one dynamic IP the VPN can only be established from that dynamic IP to the static IP. The static end can not make contact with the dynamic end first. The static end is reponsive not pro active. Where as if both are static it can be initiated from either end. Think about the settings and fields to make settings with that in mind. I haven't looked at the Fortigate manual yet, becuse you seem to know your way around in the settings.

fox7
mikkopel
join:2002-10-25
Haverstraw, NY

mikkopel

Member

Thanks for all the suggestions. So far Fortigate's only suggestion has been to enter 0.0.0.0/0 for all quick mode options. Which it is already, so that didn't take me anywhere. I also tried putting in the Static IP address in the quick mode fields, but that didn't help either.

And yeah, I know my way around the settings by now, I've recreated the VPN so many times by now! In the server, I don't even have a "Bring Up" button for this VPN. In the client end, I do, so that's what I keep pressing and hoping for green.

Do firewall rules come into play at this stage? I wonder if I should pay more attention to those. I do have firewall rules in place, allowing all traffic between the internal ranges of each end, but maybe something is amiss there... But then again, if it works with static IPs, that doesn't seem to be the problem.
fox77
join:2001-02-12
Culver City, CA

fox77 to mikkopel

Member

to mikkopel
mikkopel:
Yea, when I checked the thread I was hoping you had her working.

Firewall rules would not by default inhibit a VPN, and the device should internally handle the settings so as to not inhibit a VPN. I have never had a firewall in the device which I was configuring the VPN inhibit the working of the VPN.

I have set up many VPNs with many manufactures of hardware, but never Fortigates. But I recall they are not the cheapy on the market, so it should work and work well.

I can really only encourage you to try different settings, and generally it is always some small thing you laugh about later.

I will check back, and think about it over the weekend.

fox7
fox77

fox77 to mikkopel

Member

to mikkopel
mikkopel:
Ok, I broke down and started reading your manual. For the Quick Mode when doing a dial-up, the manual says:

the FortiGate unit connects as a dialup client to another FortiGate unit, in which case you must specify a source IP address, IP address range or subnet

I think I mentioned to try this... not to be a told ya so.

This is on page, sorry your manual does not have page numbers, but it is under 'Phase 2 parameters', 'Advanced Phase 2 settings', 'Quick Mode selectors.

Give that a try and get back if that is your solution.

fox7
mikkopel
join:2002-10-25
Haverstraw, NY

mikkopel

Member

Wow six days already passed...? Time goes quickly, when you're having fun, right! Thanks for reading the manual, or maybe you had some trouble falling asleep at night?

Fortigate support told me to keep the quick mode settings at all zeros. I did try entering the remote IP address in there too, and leaving everything else to 0, but it didn't make a difference.

At the same time though, wouldn't configuring Quick Mode settings be more restrictive? And since the tunnel is not working, it would seem to make sense to have as few restrictions as possible to the tunnel.

The last thing they suggested was that I should not have the two devices in the same netblock. Which really doesn't make sense, since I could imagine someone wanting to VPN between two devices in the same netblock.

So I took the "remote" or client Fortigate home. The results were exactly the same. To recap: the VPN link works if I select static IP address, and enter all the settings. These are all the settings I change for the dialup:

server:
- in Phase 1 change remote gateway from Static IP to Dialup User
- in Firewall rules clear "Allow Outbound"
client
- in Firewall rules clear "Allow Inbound"

That is all I change. But the link does not work this way. The two last firewall settings were as per manual. I think it said as an explanation that this prevents the unit from trying to recreate the already existing VPN tunnel, when it receives traffic from remote end.
mikkopel

mikkopel

Member

Ok, FINALLY I got it working. There were two things... First, the technician changed a setting in the firewall rule. (Allow Outbound/Inbound) Which was the opposite to what the manual said to do.

Second, he configured the Quick Mode settings using LAN, not WAN addresses. And that was it...

So you guys were on the right track with it...