Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Cerrado
wzapata
Mensajes: 3
Registrado: 17 Nov 2016, 14:44

Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por wzapata »

Hola a todos!

Necesito de su ayuda. Estoy presentando inconvenientes con la configuracion de una VPN entre un Fortigate con la version 5.0(hub) modelo100d y el otro es modelo 50E con la version 5.4.2(spoke).

Tengo mas Fortigate 40c con vpn en otras localidades y todos funcionan bien. Envio configuraciondel spoke:

Fortigate 50E:
-------------------------------------
ike 0:Suc_Cristobal: schedule auto-negotiate

ike 0:Suc_Cristobal: auto-negotiate connection

ike 0:Suc_Cristobal: created connection: 0x10426188 4 10.5.1.5->190.106.113.195:500.

ike 0:Suc_Cristobal:74: cookie f22c43f10af6a87a/0000000000000000

ike 0:Suc_Cristobal:74: out F22C43F10AF6A87A000000000000000001100400000000000000020604000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4526B531BC1B756F8ED0C7413B8B0611AD9A35ADB980A401BBEA02F70F14957D5D68FA4848409C239E2BA2F58C218BE1B60841E46CC9ECFAF583CDB3D40112CB500FD7087BF4B5BA0DEE803CFD3DD897347E22B6FC5CD9DB4011958C44DC6182C6BABE4FD7B4F994400B25E11F192C64246E3BE69DAAF9A2FEF23E5958AE4D9C2B15CC6E858BFFC3EE9C5FAE8A6188683D9CD5C612B34363CF34EC4E6BEF28B11B39010588933332A98413B1A5CBE17043D5271ADB124B83A4C110494F31ED80A0500001405DA042CF046EFC8CAFC70D7B99E78260D000012020000005343726973746F62616C0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428

ike 0:Suc_Cristobal:74: sent IKE msg (agg_i1send): 10.5.1.5:500->190.106.113.195:500, len=518, id=f22c43f10af6a87a/0000000000000000

ike 0: comes 190.106.113.195:500->10.5.1.5:500,ifindex=4....

ike 0: IKEv1 exchange=Aggressive id=f22c43f10af6a87a/b7b0842efa906099 len=472

ike 0: in F22C43F10AF6A87AB7B0842EFA9060990110040000000000000001D804000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4E9F95FD1AB24ED8C33D85CEE8E94B7E5D5DCD5EED7F5DDA3383C2DE305F6F62DADA6133DA00A9F035019C20DB2D54CB544B5D0EB66E816917EF8B56AF787816508B362F600D0903175CF3DAD7BB64323F1F0EFCD2234653B4B7E49B9E6B27117CF7486D5D5557DEF8999AC4640C7EC5B67D244ACA8080447361036852720B257D366CCF02D8742558F7CDD2FB02213642AE122142EF5B36CD1934D2B82908B3B1D46840A8DA8F369F8B7AA2ACEA8F86D900D755310FA4AEB9D7D1A87E2AAB79905000014FC1E73F9422FBC25B91C79AA72234A8B0800000C01000000BE6A71C30D0000181ECF7FD3D6936D4A1F5359E4B6DE81AE1C12A177140000144A131C81070358455C5728F20E95452F14000018C161CEAFC65D8957821E3EB6495B1B34CF15C58E0D00001851A29635775571DA4727495B7E314F89B7457E080D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D0000148299031757A36082C6A621DE00050124000000144048B7D56EBCE88525E7DE7F00D6C2D3

ike 0:Suc_Cristobal:74: VID RFC 3947 4A131C81070358455C5728F20E95452F

ike 0:Suc_Cristobal:74: VID DPD AFCAD71368A1F1C96B8696FC77570100

ike 0:Suc_Cristobal:74: DPD negotiated

ike 0:Suc_Cristobal:74: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712

ike 0:Suc_Cristobal:74: VID FORTIGATE 8299031757A36082C6A621DE00050124

ike 0:Suc_Cristobal:74: peer is FortiGate/FortiOS (v5 b292)

ike 0:Suc_Cristobal:74: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3

ike 0:Suc_Cristobal:74: peer identifier IPV4_ADDR 190.106.113.195

ike 0:Suc_Cristobal:74: negotiation result

ike 0:Suc_Cristobal:74: proposal id = 1:

ike 0:Suc_Cristobal:74: protocol id = ISAKMP:

ike 0:Suc_Cristobal:74: trans_id = KEY_IKE.

ike 0:Suc_Cristobal:74: encapsulation = IKE/none

ike 0:Suc_Cristobal:74: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.

ike 0:Suc_Cristobal:74: type=OAKLEY_HASH_ALG, val=SHA.

ike 0:Suc_Cristobal:74: type=AUTH_METHOD, val=PRESHARED_KEY.

ike 0:Suc_Cristobal:74: type=OAKLEY_GROUP, val=MODP1536.

ike 0:Suc_Cristobal:74: ISAKMP SA lifetime=28800

ike 0:Suc_Cristobal:74: ISAKMP SA f22c43f10af6a87a/b7b0842efa906099 key 24:60FBBD61AB980A86A9912CC6792E202EBB577741DF44DB37

ike 0:Suc_Cristobal:74: probable pre-shared secret mismatch

ike 0:Suc_Cristobal:74: info_send_n1, type 23

ike 0:Suc_Cristobal:74: out F22C43F10AF6A87AB7B0842EFA90609908100500EAE88690000000400B000018479E2DC61A6543B653C6479BD1ED70F870010CFD0000000C0000000101000017

ike 0:Suc_Cristobal:74: sent IKE msg (p1_notify_23): 10.5.1.5:500->190.106.113.195:500, len=64, id=f22c43f10af6a87a/b7b0842efa906099:eae88690

ike 0:Suc_Cristobal:74: out F22C43F10AF6A87A000000000000000001100400000000000000020604000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4526B531BC1B756F8ED0C7413B8B0611AD9A35ADB980A401BBEA02F70F14957D5D68FA4848409C239E2BA2F58C218BE1B60841E46CC9ECFAF583CDB3D40112CB500FD7087BF4B5BA0DEE803CFD3DD897347E22B6FC5CD9DB4011958C44DC6182C6BABE4FD7B4F994400B25E11F192C64246E3BE69DAAF9A2FEF23E5958AE4D9C2B15CC6E858BFFC3EE9C5FAE8A6188683D9CD5C612B34363CF34EC4E6BEF28B11B39010588933332A98413B1A5CBE17043D5271ADB124B83A4C110494F31ED80A0500001405DA042CF046EFC8CAFC70D7B99E78260D000012020000005343726973746F62616C0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428

ike 0:Suc_Cristobal:74: sent IKE msg (P1_RETRANSMIT): 10.5.1.5:500->190.106.113.195:500, len=518, id=f22c43f10af6a87a/0000000000000000

ike 0: comes 190.106.113.195:500->10.5.1.5:500,ifindex=4....

ike 0: IKEv1 exchange=Aggressive id=f22c43f10af6a87a/b7b0842efa906099 len=472

ike 0: in F22C43F10AF6A87AB7B0842EFA9060990110040000000000000001D804000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4E9F95FD1AB24ED8C33D85CEE8E94B7E5D5DCD5EED7F5DDA3383C2DE305F6F62DADA6133DA00A9F035019C20DB2D54CB544B5D0EB66E816917EF8B56AF787816508B362F600D0903175CF3DAD7BB64323F1F0EFCD2234653B4B7E49B9E6B27117CF7486D5D5557DEF8999AC4640C7EC5B67D244ACA8080447361036852720B257D366CCF02D8742558F7CDD2FB02213642AE122142EF5B36CD1934D2B82908B3B1D46840A8DA8F369F8B7AA2ACEA8F86D900D755310FA4AEB9D7D1A87E2AAB79905000014FC1E73F9422FBC25B91C79AA72234A8B0800000C01000000BE6A71C30D0000181ECF7FD3D6936D4A1F5359E4B6DE81AE1C12A177140000144A131C81070358455C5728F20E95452F14000018C161CEAFC65D8957821E3EB6495B1B34CF15C58E0D00001851A29635775571DA4727495B7E314F89B7457E080D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D0000148299031757A36082C6A621DE00050124000000144048B7D56EBCE88525E7DE7F00D6C2D3

ike 0: comes 190.106.113.195:500->10.5.1.5:500,ifindex=4....

ike 0: IKEv1 exchange=Aggressive id=f22c43f10af6a87a/b7b0842efa906099 len=472

ike 0: in F22C43F10AF6A87AB7B0842EFA9060990110040000000000000001D804000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4E9F95FD1AB24ED8C33D85CEE8E94B7E5D5DCD5EED7F5DDA3383C2DE305F6F62DADA6133DA00A9F035019C20DB2D54CB544B5D0EB66E816917EF8B56AF787816508B362F600D0903175CF3DAD7BB64323F1F0EFCD2234653B4B7E49B9E6B27117CF7486D5D5557DEF8999AC4640C7EC5B67D244ACA8080447361036852720B257D366CCF02D8742558F7CDD2FB02213642AE122142EF5B36CD1934D2B82908B3B1D46840A8DA8F369F8B7AA2ACEA8F86D900D755310FA4AEB9D7D1A87E2AAB79905000014FC1E73F9422FBC25B91C79AA72234A8B0800000C01000000BE6A71C30D0000181ECF7FD3D6936D4A1F5359E4B6DE81AE1C12A177140000144A131C81070358455C5728F20E95452F14000018C161CEAFC65D8957821E3EB6495B1B34CF15C58E0D00001851A29635775571DA4727495B7E314F89B7457E080D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D0000148299031757A36082C6A621DE00050124000000144048B7D56EBCE88525E7DE7F00D6C2D3

ike shrank heap by 126976 bytes
Avatar de Usuario
makco10
Mensajes: 1345
Registrado: 03 Jun 2011, 19:42
Ubicación: Honduras
Contactar:

Re: Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por makco10 »

Buen dia,

Revisa esta info ([Debes identificarte para poder ver enlaces.]) y nos avisas si tienes todo bien.

A la espera.
Defend Your Enterprise Network With Fortigate Next Generation Firewall

NSE4
NSE5
wzapata
Mensajes: 3
Registrado: 17 Nov 2016, 14:44

Re: Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por wzapata »

gracias por la informacion Makco10. Una consulta en la VPN que tengo configurada site to site con Dialup tengo que utilizar el mismo pre-shared key con todos los spoke??
Avatar de Usuario
makco10
Mensajes: 1345
Registrado: 03 Jun 2011, 19:42
Ubicación: Honduras
Contactar:

Re: Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por makco10 »

Hola,

No necesariamente, en mi opinión queda a su criterio.

Saludos.
Defend Your Enterprise Network With Fortigate Next Generation Firewall

NSE4
NSE5
wzapata
Mensajes: 3
Registrado: 17 Nov 2016, 14:44

Re: Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por wzapata »

Solucionado!!!!

Gracias por tu material Makco10. Me fué muy útil. El problema era que habia creado una Zona de VPN, creaba la politica, pero no agregaba la nueva VPN a la Zona, por lo tanto la politica estaba incompleta. Gracias!!
Avatar de Usuario
makco10
Mensajes: 1345
Registrado: 03 Jun 2011, 19:42
Ubicación: Honduras
Contactar:

Re: Problemas al configurar VPN Site to Site con Fortiigate v5.0 and 5.4.2

Mensaje por makco10 »

Excelente,

Saludos.
Defend Your Enterprise Network With Fortigate Next Generation Firewall

NSE4
NSE5
Cerrado