BOVPN problem between XTM 35 and Forti gate 60E

Hello Everybody
I have a problem to mount a BOVPN between WG and Forti

Office 1 (SH)
T35 -> 12.5.2
Router IP : 192.168.11.1
WG IP WAN -> 192.168.11.2
ETH3 IP LAN -> 192.168.1.0 /24

Office 2 (SS)
Fortigate 60E -> 6.2.3
Router IP : 192.168.0.1
FORTI IP WAN -> 192.168.0.254
ETH2 IP LAN -> 192.168.15.0 /24

I follow this KB

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/fortinet.html

But the Phase 1 don't mount

Here the logs about my WG

2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)******** RECV an IKE packet at 192.168.11.2:500(socket=14 ifIndex=8) from Peer IP.OFFICE.2:500 ******** Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:440 SPI[i=6145f97d6a9a9e2b r=0000000000000000] Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)"IKE_SA_INIT request" message has 6 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=36) N(sz=28) N(sz=28) N(sz=8)] Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Found matching IKE policy 'BOVPN SH to SS' for peer 'IP.OFFICE.2:500' Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8) state change: UNKNOWN ==> CREATED, reason: "Init SA state" Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)use ikePcy(BOVPN SH to SS) to update ikeSA(0x105c00c8) Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)dispatch the received IKE_SA_INIT request message - IkeSA(0x105c00c8)'s state=CREATED Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)The peer is behind NAT Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)The local is behind NAT Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)non-supported notify type: 16430(UNKNOWN), ignore it Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Processed IKE_SA_INIT request message successfully Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)'IKE_SA_INIT response' message created successfully. length:496 Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)Sent out IKE_SA_INIT response message (msgId=0) from 192.168.11.2:500 to IP.OFFICE.2:500 for 'BOVPN SH to SS' gateway endpoint successfully. Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out" Debug
2020-03-26 10:25:56 iked (192.168.11.2<->IP.OFFICE.2)ikeSA(0x105c00c8)'s msgIdRecv is updated: 0 -> 1 Debug

I try a IPSEC VPN between 2 WG from the office 1 to another destination and it's ok

I try a IPSEC VPN between 2 Forti from the office 2 to another destination and it's ok

Thanks you for your help

SH.

Comments

  • No log messages beyond the last one posted?

    Consider opening a support incident on this.

  • edited 1:48PM

    Hello Bruce
    I see with WG engineer and found the problem (in French Sorry)

    En genéral les fortigate envois l'adresse IP de l ínterface WAN comme ID en l'ocurence.

    192.168.0.254

    donc c'est la valeur qu'il faut mettre sur La Firebox comme remote gateway ID. Pour le reste ( Local ID Remote IP) vous utilserez les adresses IP publiques.

    In the remote gateway ID for tunnel authentification I use the IP addresse's router (192.168.0.254) and not the Public IP.
    Now it's ok

Sign In to comment.