Monday, August 2, 2010

Site to site VPN Cisco and Fortinet

This may save someone some time...

I was setting up a Cisco <-> Fortinet VPN using interface mode on the Fortinet, IPSEC protected GRE tunnel in Cisco's world.

I could not get it to fully come up. Phase 1 was fine but no luck with phase 2. The Cisco debug showed proposal did not match but they did! I promise :-)

Turns out my mistake was using AES and SHA. Well in fact after more trial, anything but 3DES and MD5 will fail. Even DES and MD5! So, there seems to be something screwy in the phase two exchange. I think this may be on the Cisco side as it does complain about proposals not matching even though the profile clearly does.

OK so I was using v3 mr7 of the Fortinet software and 12.3 of the Cisco IOS so it wasn't the newest but that is just crazy talk

Later: got it. The tunnel command protection profile doesn't seem to choose the transformation set like you'd expect. So it was falling back to the transform set in the last ipsec policy which was the VPN client users and this was 3DES/MD5.

No comments: