BOVPN problem between XTM 35 and Forti gate 60E
Hello Everybody
I have a problem to mount a BOVPN between WG and Forti
Office 1 (SH)
T35 -> 12.5.2
Router IP : 192.168.11.1
WG IP WAN -> 192.168.11.2
ETH3 IP LAN -> 192.168.1.0 /24
Office 2 (SS)
Fortigate 60E -> 6.2.3
Router IP : 192.168.0.1
FORTI IP WAN -> 192.168.0.254
ETH2 IP LAN -> 192.168.15.0 /24
I follow this KB
But the Phase 1 don't mount
Here the logs about my WG
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)******** RECV an IKE packet at 192.168.11.2:500(socket=14 ifIndex=8) from Peer IP.OFFICE.2:500 ******** Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:440 SPI[i=6145f97d6a9a9e2b r=0000000000000000] Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)"IKE_SA_INIT request" message has 6 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=36) N(sz=28) N(sz=28) N(sz=8)] Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Found matching IKE policy 'BOVPN SH to SS' for peer 'IP.OFFICE.2:500' Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8) state change: UNKNOWN ==> CREATED, reason: "Init SA state" Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)use ikePcy(BOVPN SH to SS) to update ikeSA(0x105c00c8) Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)dispatch the received IKE_SA_INIT request message - IkeSA(0x105c00c8)'s state=CREATED Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)The peer is behind NAT Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)The local is behind NAT Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)non-supported notify type: 16430(UNKNOWN), ignore it Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Processed IKE_SA_INIT request message successfully Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)'IKE_SA_INIT response' message created successfully. length:496 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Sent out IKE_SA_INIT response message (msgId=0) from 192.168.11.2:500 to IP.OFFICE.2:500 for 'BOVPN SH to SS' gateway endpoint successfully. Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out" Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8)'s msgIdRecv is updated: 0 -> 1 Debug
I try a IPSEC VPN between 2 WG from the office 1 to another destination and it's ok
I try a IPSEC VPN between 2 Forti from the office 2 to another destination and it's ok
Thanks you for your help
SH.
Comments
No log messages beyond the last one posted?
Consider opening a support incident on this.
Hello Bruce
I see with WG engineer and found the problem (in French Sorry)
En genéral les fortigate envois l'adresse IP de l ínterface WAN comme ID en l'ocurence.
192.168.0.254
donc c'est la valeur qu'il faut mettre sur La Firebox comme remote gateway ID. Pour le reste ( Local ID Remote IP) vous utilserez les adresses IP publiques.
In the remote gateway ID for tunnel authentification I use the IP addresse's router (192.168.0.254) and not the Public IP.
Now it's ok