hello, i'm not readind security logs, i'm using an ldap profile. group mapping is really something difficult to configure but it's working now. is there a document to compare ldap vs kerberos vs user-id agent ?
... View more
Hello, i'm using this ressource to configure Site-to-Site IPSec VPN in Layer 2 with a PA-200. Of course, it's not working this is why i'm here with a lot a questions. edit: it's working now 1/ i'm assuming the left part of the diagram is considering as the client and the right part as the IPSEC server. so in Network Profiles/IKE Gateways, L2side object, i checked "Enable NAT Traversal" edit: it seem i didn't need this checked, so let take the default 2/ is there a public web site i can check to make sure the client router is VPN passthrought ? There is no option in it to enable or disable this. 3/ on the client router, should i forward ports UDP/500 and UDP/4500 ? I don't have option to forward ESP or AH. edit: i didn't forward any ports 4/ i suppose devices on the client LAN 172.16.101.0/24 must have a route to join 172.16.100.0/24 pointing to 172.16.101.200. edit: correct 5/ i'm trying to ping 172.16.101.200 but it's not working, either from L2trust or L2untrust. When i'm connected to the PA-200 in SSH, i can ping it. edit: I added a management profile with ping permitted on interface vlan.1 and now it's OK. 6/ let's talk about the rules i have to setup : currently i have these : From L2trust/Any to L2untrust/Any : ACCEPT From L2untrust/Any to L2trust/Any : ACCEPT From untrust/172.16.101.0/24 to VPN/172.16.100.0/24 : ACCEPT From VPN/172.16.100.0/24 to untrust/172.16.101.0/24 : ACCEPT No NAT rules. 7/ i don't understand the tunnel.1 IP address 188.8.131.52/32 What is it and how is it related to the IPSEC server ? edit: there is an error in the document, i used 172.16.100.200/32 8/ my IPSEC server is a Fortigate. It currently have another IPSEC tunnel which is working. I made a static route for 172.16.101.0/24 I have rules to permit all. On Fortigate, IPSec tunnel is down and on PA-200, L2sideipsec is in red state. I can provide screenshots of Fortigate configuration, i tried main and aggressive configuration, IKE 1 and 2. edit: i used aggressive mode had to use Peer Identification on L2side 9/ when i do a "show network vlan test", i don't have l3-forwading enabled. How could i do that from GUI or CLI ? edit: didn't use this part 10/ it seems that these 2 zones : vlan and trust have no use so i deleted theses. I'm currently still searching but could take any help and answer any question. edit: usefull commands : close tunnel : clear vpn ike-sa gateway L2side clear vpn ipsec-sa tunnel L2sideipsec test phase 1 : test vpn ike-sa gateway L2side test phase 2 : test vpn ipsec-sa tunnel L2sideipsec in monitor/logs/system, make a filter for vpn errors : (subtype eq vpn)
... View more