- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-02-2018 06:26 PM - edited 02-02-2018 09:42 PM
Hello,
i'm using this ressource to configure Site-to-Site IPSec VPN in Layer 2 with a PA-200.
Of course, it's not working this is why i'm here with a lot a questions.
edit: it's working now
1/ i'm assuming the left part of the diagram is considering as the client and the right part as the IPSEC server.
so in Network Profiles/IKE Gateways, L2side object, i checked "Enable NAT Traversal"
edit: it seem i didn't need this checked, so let take the default
2/ is there a public web site i can check to make sure the client router is VPN passthrought ?
There is no option in it to enable or disable this.
3/ on the client router, should i forward ports UDP/500 and UDP/4500 ?
I don't have option to forward ESP or AH.
edit: i didn't forward any ports
4/ i suppose devices on the client LAN 172.16.101.0/24 must have a route to join 172.16.100.0/24 pointing to 172.16.101.200.
edit: correct
5/ i'm trying to ping 172.16.101.200 but it's not working, either from L2trust or L2untrust.
When i'm connected to the PA-200 in SSH, i can ping it.
edit: I added a management profile with ping permitted on interface vlan.1 and now it's OK.
6/ let's talk about the rules i have to setup :
currently i have these :
From L2trust/Any to L2untrust/Any : ACCEPT
From L2untrust/Any to L2trust/Any : ACCEPT
From untrust/172.16.101.0/24 to VPN/172.16.100.0/24 : ACCEPT
From VPN/172.16.100.0/24 to untrust/172.16.101.0/24 : ACCEPT
No NAT rules.
7/ i don't understand the tunnel.1 IP address 1.1.2.141/32
What is it and how is it related to the IPSEC server ?
edit: there is an error in the document, i used 172.16.100.200/32
8/ my IPSEC server is a Fortigate.
It currently have another IPSEC tunnel which is working.
I made a static route for 172.16.101.0/24
I have rules to permit all.
On Fortigate, IPSec tunnel is down and on PA-200, L2sideipsec is in red state.
I can provide screenshots of Fortigate configuration, i tried main and aggressive configuration, IKE 1 and 2.
edit: i used aggressive mode
had to use Peer Identification on L2side
9/ when i do a "show network vlan test", i don't have l3-forwading enabled.
How could i do that from GUI or CLI ?
edit: didn't use this part
10/ it seems that these 2 zones : vlan and trust have no use so i deleted theses.
I'm currently still searching but could take any help and answer any question.
edit: usefull commands :
close tunnel :
clear vpn ike-sa gateway L2side
clear vpn ipsec-sa tunnel L2sideipsec
test phase 1 : test vpn ike-sa gateway L2side
test phase 2 : test vpn ipsec-sa tunnel L2sideipsec
in monitor/logs/system, make a filter for vpn errors : (subtype eq vpn)