Friday, July 29, 2011

Fortigate MR3 VPN to Cisco

So I'm doing a lot more Fortigate work in a new job.  Got to grips with most of the Forti foibles but this is a new one..

We've got a site with a Fortigate at the head office and Ciscos at the remote sites.  They're in construction so the Ciscos get kicked, dropped, spiked etc but just keep going.

I was adding a new site after recently updating the Fortigate to MR 3 PL1 and it would not work. The VPN just would not come up. Identical Cisco config (bar IP addresses) and the HO Forti VPN config looked identical too.  Until you get to the CLI...

Seems now there is a mode-cfg setting that defaults to enabled and the Cisco's don't like being told what to do.  Turn that off in the CLI and the VPN came up. By the way the VPNs on the Cisco end are VTIs using routes as these seem to play better and you don't have to specify and match proxies.

No comments: