Fortigate60D IPSec Tunnel Configuration:
Fortigate100D I{Sec Tunnel Configuration:
Unfortunately, the tunnel between 60D and 100D failed to build after upgrade process rebooted the 100D. Based on following troubleshooting commands on 100D device, we found 100D ignored IKE request from 60D because of missing Phase2 proposal configuration.
diag debug reset diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4 10.94.32.8 diag debug console timestamp enable diag debug application ike -1 diag debug enable
I tried to put phase 2 on 60D firewall. It shows there is already phase 2 auto configuration from phase 1.
FW-60D(p2) # get name : p2 phase1name : use-natip : enable selector-match : auto proposal : aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 pfs : enable dhgrp : 14 5 replay : enable keepalive : disable auto-negotiate : disable keylife-type : seconds encapsulation : tunnel-mode comments : keylifeseconds : 43200 FW-60D (p2) # set phase1name <string> please input string value f1-f2 phase1 FW-60D (p2) # set phase1name f1-f2 FW-60D (p2) # set selector-match exact Match selectors exactly. subset Match selectors by subset. auto Use subset or exact match depending on selector address type. FW-60D (p2) # end For autoconf-enabled phase1, a phase2 is already generated internally. object set operator error, -5 discard the setting Command fail. Return code -5
It seems 60D with firmware version 5.2.5 is still using auto-configured IPSec Phase2. But 100D has not had that configuration after upgrade to 5.4.1. Quickly I manually put phase 2 configuration in 100D, the tunnel is up right away.
It seems with newer Firmware version, FortiOS changed their default configuration on IPSec Phase 2. You will have to manually put phase 2 configuration into VPN.
No comments:
Post a Comment