Wednesday, 12 November 2014

IPSEC VPN Fortigate to ISA 2006

We had to set one of these up today and it was a bit odd.

The easiest way is to say what settings worked :-)

Stick with SHA and 3DES.  Group2 for DH, supposedly 14 will work but it didn't for us.

Use proxies, this was our final stumbling block.  ISA wanted proxies in phase 2 or came up with INVALID-ID-INFORMATION in the Fortigate debugs.

Otherwise it's defaults for times, DPD etc.

Edit later:

ISA summarises multiple networks rather than creating a second phase 2. dumb..

ie we had 10.0.1.0/24 at the remote site and 10.0.2.0/24 at the head office end.  They want to add 10.0.3.0/24 so debugging (you can't set this or see it in ISA by the looks of it) the HO end proxy goes from 10.0.2.0/24 to 10.0.0.0/16. So what happens when you add a second network to the remote office end?

No comments:

Gentoo grub-probe not working

 I have a bunch of history commands I run when I d a new kernel etc and one stopped working. grub-mkconfig would fail with grub-probe for /....