tunel ipsec entre fortinet y ipad
Publicado: 24 Ene 2012, 22:19
Que tal gaby estoy trtando de hacer un tunel ipsec entre el fortinet y un ipad para lo cual segui el siguente procedimiento de fortinet knowledge y el error que me marca en los log es en la fase 2 diciendome “no matching Gateway for a new request con id de error 37125 y estado de la negociación como error aca la configuracion”:
[url]http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33376
[/url]
Description
This article provides a sample IPSec VPN configuration for use with iPhone and iPad. The configuration is for FortiOS v4.0 MR3 and differs from the configuration that is required for previous firmware versions.
The related article provides a configuration guide for earlier firmware versions.
Scope
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.
Solution
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.
The following sample configuration has been tested and works correctly in FortiOS v4.0 MR3.
It should be noted that the VPN is configured as route-based, otherwise known as interface-based. The configuration requires a peer ID ("apple" in this case) as well as a user group. It is best to configure this VPN using the CLI as some of the required settings are not available in the web interface.
Setup a User, User Group, and Firewall Addresses:
config user local
edit "test"
set status enable
set type password
set passwd <password>
next
end
config user group
edit "apple"
set group-type firewall
set member "test"
set authtimeout 0
next
end
config firewall address
edit "LAN"
set associated-interface "switch"
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.1.0 255.255.255.0
next
end
Phase 1 Settings:
name : iPhoneP1
type : dynamic
interface : port1
ip-version : 4
local-gw : 0.0.0.0
nattraversal : enable
dhgrp : 2
keylife : 28800
authmethod : psk
peertype : one
xauthtype : auto
mode : aggressive
mode-cfg : enable
proposal : aes256-md5 aes256-sha1
localid : (null)
localid-type : auto
negotiate-timeout : 30
dpd : enable
fcc-enforcement : disable
peerid : apple
authusrgrp : VPNUserGroup
default-gw : 0.0.0.0
default-gw-priority : 0
assign-ip : enable
mode-cfg-ip-version : 4
assign-ip-from : range
add-route : enable
ipv4-start-ip : 172.16.1.1
ipv4-end-ip : 172.16.1.40
ipv4-netmask : 255.255.255.0
dns-mode : auto
ipv4-wins-server1 : 0.0.0.0
ipv4-wins-server2 : 0.0.0.0
ipv4-exclude-range:
ipv4-split-include : (null)
unity-support : enable
psksecret : *
keepalive : 10
distance : 1
priority : 0
dpd-retrycount : 3
dpd-retryinterval : 5
Phase 2 Settings:
name : iPhoneP2
dst-addr-type : subnet
dst-port : 0
encapsulation : tunnel-mode
keepalive : enable
keylife-type : seconds
pfs : disable
phase1name : iPhoneP1
proposal : aes256-md5 aes256-sha1
protocol : 0
replay : enable
route-overlap : use-new
single-source : disable
src-addr-type : subnet
src-port : 0
dst-subnet : 0.0.0.0 0.0.0.0
keylifeseconds : 1800
src-subnet : 0.0.0.0 0.0.0.0
Configure Firewall Policies:
VPN => LAN
cconfig firewall policy
edit 1
set srcintf "iPhoneP1"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set schedule "always"
set service "ANY"
set nat disable
next
end
LAN => VPN
config firewall policy
edit 2
config firewall policy
edit 1
set srcintf "switch"
set dstintf "iPhoneP1"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set schedule "always"
set service "ANY"
set nat disable
next
end
next
end
Configuration required on the iPad/iPhone Cisco VPN Client:
description: FortiGate VPN
server: IP of the FortiGate WAN interface that is configured for VPN (interface : port1 in this case)
account: test (a user account on the FortiGate)
password: test123
Use certificate: off
group name: apple
secret: Pre-shared key for the tunnel
CABE MENCIONAR QUE NINGUNO DE ESTOS COMANDOS APARECIERON EN EL CLI DE LA PHASE 1:
- negotiate-timeout : 30
- fcc-enforcement : disable
- dns-mode : auto
adjunto las imagenes de las fases y de la politica de in- out, la de out-in esa no me la dejo subir pero es identica a la de la guia, de igual manera el address y el group
[url]http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33376
[/url]
Description
This article provides a sample IPSec VPN configuration for use with iPhone and iPad. The configuration is for FortiOS v4.0 MR3 and differs from the configuration that is required for previous firmware versions.
The related article provides a configuration guide for earlier firmware versions.
Scope
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.
Solution
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.
The following sample configuration has been tested and works correctly in FortiOS v4.0 MR3.
It should be noted that the VPN is configured as route-based, otherwise known as interface-based. The configuration requires a peer ID ("apple" in this case) as well as a user group. It is best to configure this VPN using the CLI as some of the required settings are not available in the web interface.
Setup a User, User Group, and Firewall Addresses:
config user local
edit "test"
set status enable
set type password
set passwd <password>
next
end
config user group
edit "apple"
set group-type firewall
set member "test"
set authtimeout 0
next
end
config firewall address
edit "LAN"
set associated-interface "switch"
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.1.0 255.255.255.0
next
end
Phase 1 Settings:
name : iPhoneP1
type : dynamic
interface : port1
ip-version : 4
local-gw : 0.0.0.0
nattraversal : enable
dhgrp : 2
keylife : 28800
authmethod : psk
peertype : one
xauthtype : auto
mode : aggressive
mode-cfg : enable
proposal : aes256-md5 aes256-sha1
localid : (null)
localid-type : auto
negotiate-timeout : 30
dpd : enable
fcc-enforcement : disable
peerid : apple
authusrgrp : VPNUserGroup
default-gw : 0.0.0.0
default-gw-priority : 0
assign-ip : enable
mode-cfg-ip-version : 4
assign-ip-from : range
add-route : enable
ipv4-start-ip : 172.16.1.1
ipv4-end-ip : 172.16.1.40
ipv4-netmask : 255.255.255.0
dns-mode : auto
ipv4-wins-server1 : 0.0.0.0
ipv4-wins-server2 : 0.0.0.0
ipv4-exclude-range:
ipv4-split-include : (null)
unity-support : enable
psksecret : *
keepalive : 10
distance : 1
priority : 0
dpd-retrycount : 3
dpd-retryinterval : 5
Phase 2 Settings:
name : iPhoneP2
dst-addr-type : subnet
dst-port : 0
encapsulation : tunnel-mode
keepalive : enable
keylife-type : seconds
pfs : disable
phase1name : iPhoneP1
proposal : aes256-md5 aes256-sha1
protocol : 0
replay : enable
route-overlap : use-new
single-source : disable
src-addr-type : subnet
src-port : 0
dst-subnet : 0.0.0.0 0.0.0.0
keylifeseconds : 1800
src-subnet : 0.0.0.0 0.0.0.0
Configure Firewall Policies:
VPN => LAN
cconfig firewall policy
edit 1
set srcintf "iPhoneP1"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set schedule "always"
set service "ANY"
set nat disable
next
end
LAN => VPN
config firewall policy
edit 2
config firewall policy
edit 1
set srcintf "switch"
set dstintf "iPhoneP1"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set schedule "always"
set service "ANY"
set nat disable
next
end
next
end
Configuration required on the iPad/iPhone Cisco VPN Client:
description: FortiGate VPN
server: IP of the FortiGate WAN interface that is configured for VPN (interface : port1 in this case)
account: test (a user account on the FortiGate)
password: test123
Use certificate: off
group name: apple
secret: Pre-shared key for the tunnel
CABE MENCIONAR QUE NINGUNO DE ESTOS COMANDOS APARECIERON EN EL CLI DE LA PHASE 1:
- negotiate-timeout : 30
- fcc-enforcement : disable
- dns-mode : auto
adjunto las imagenes de las fases y de la politica de in- out, la de out-in esa no me la dejo subir pero es identica a la de la guia, de igual manera el address y el group