Question : IPSec woes

Hi all,

I'm in the process of attempting to set up an IPSec tunnel between two LAN's.

Here's an ASCII diagram (IP's changed):

(Lan1: 192.168.0.0/24)
     |
[D-Link NetDefend
DFL-800 Firewall]
     |
(Public IP1: 111.111.111.111)
    |/|
    |/|
    |/| <-IPSec Tunnel
    |/|
    |/|
(Public IP2: 222.222.222.222)
     |
[Fortinet Fortigate
Firewall]
(Lan2: 10.0.0.0/24)


I've configured both firewalls according to their respective manuals. This has been tricky because both vendors have varied terminology and default settings. There are also some minor variations in what extra options you have at each end.

I've added rules to both firewalls to allow traffic to pass both directions between the LAN and the IPSec interface and I've added routes to both firewalls to direct traffic intended for the remote LAN over the IPSec interface.

Here's a rough list of settings:
Authentication: Pre-shared key
IKE Encryption/Auth proposals: AES256/SHA1
IKE Life Time: 28800 sec
IKE Mode: Main, DH Group 2
IPSec Encryption/Auth proposals: AES256/SHA1
IPSec Life Time: 3600 sec
XAuth: Disabled
Perfect Forward Secrecy: Disabled
Keep-alive: On (sends pings regularly to keep the tunnel up)
Dead Peer Detection: Disabled
Peer ID (used on both firewalls): 111.111.111.111

At the moment, I can see active IKE security authorities (SA's) coming up. For some reason though, the IPSec interface isn't coming up on the firewall IPSec status.

When I attempt to ping a machine on Lan2 from a machine on Lan2, I get 100% packet loss. The firewall logs show a connection but no traffic.

I'm getting "Quick Mode" errors at both ends.

I'm also getting this message when I apply changes to the D-Link firewall:
----- START -----
Attempting to use new configuration data...
IPSec SA [Initiator] negotiation failed:
  Local Proxy ID  192.168.0.0/24 any
  Remote Proxy ID 10.0.0.0/24 any
License file successfully loaded.

Configuration done

Configuration (v193) verified for bi-directional communication
----- END -----

Not sure what the "Proxy ID's" are about - they clearly match the subnets for Lan1 and Lan2, but I don't know what they do.

Also getting some "xauth" errors at the Fortigate end, which doesn't make any sense to me, because it's disabled...

Any help would be appreciated - cheers,

Chris
Perth, Australia

Answer : IPSec woes

For anyone interested or who runs into the same issue;

It was indeed a "Quick Mode" problem - the Fortigate firewall (LAN2 firewall) required Quick Mode selectors.

The Fortigate settings required based on the example are (0 indicates any/default):
Help with Code Tags
(Toggle Plain Text)

Source Address: 10.0.0.0/24
Source port: 0
Destination address: 192.168.0.0/24
Destination port: 0
Protocol: 0

Source Address: 10.0.0.0/24 Source port: 0 Destination address: 192.168.0.0/24 Destination port: 0 Protocol: 0

I also read some people have had problems with Dead Peer Detection. For the record, it is enabled in my case and not causing any issues.

The tunnel's up, firewall hardened and everything working now, so I'm happy.

Hope this relieves someone of the headache I had.

Chris Fry
Perth, Australia
www.chris-fry.com
Random Solutions  
 
programming4us programming4us