I am having a VPN issue between a ASA and a Fortigate.
I believe that the issue is on the Fortigate side, but some things on the ASA give me pause.
In my configuration traffic from the ASA (172.30.8.x) bound for 192.168.1.x or 192.168.2.x goes to the Fortigate via a ipsec VPN.
The inside network for the Fortigate is 192.168.1.x. It has a route to 192.168.2.x.
VPN traffic works as expected when communicating from 172.30.8.x to 192.168.1.x. No problems there. Traffic going to 192.168.2.x is dropped somewhere. I think this is a Fortigate issue, but I have a doubt because when I do a packet-trace the ASA reports a DROP via ACL, but I have no idea what ACL that is, perhaps implicit. I am including as much information as I have. Any help or suggestions are greatly appreciated.
Here is the relevant config. I have a remote access VPN to this network, that also works fine, I included that information, just in case it has some effect.
name 192.168.1.0 remote-indiana-int
name 192.168.2.0 remote-ohio-int
name 220.127.116.11 remote-indiana-ext
name 172.30.8.0 remote-colo-int
no ip address
ip address 172.30.8.1 255.255.255.0
object-group network remote-internal
network-object remote-indiana-int 255.255.255.0
network-object remote-ohio-int 255.255.255.0
access-list outside_vlan88_cryptomap extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal
access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal
access-list vlan88_nat0_outbound extended permit ip object-group remote-internal remote-colo-int 255.255.255.0
access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 172.30.8.96 255.255.255.248
access-list vlan88_tunnel_splitTunnelAcl standard permit remote-colo-int 255.255.255.0
ip local pool vlan88_pool 172.30.8.97-172.30.8.102 mask 255.255.255.248
I have faced a similar issue in the past and was able to find a solution for it.
I had an issue where i had 2 source subnets on the fortigate end and one on the ASA end.
I created multiple phase 2 on the fortigate side for a single Phase 1. In the quick mode selector in Phase 2 configuration i chose one source subnet(Fortigate side) and destination subnet(ASA side). And another phase 2 for 2nd source subnet and same destination.
On the ASA i created 2 different policies Access-list 10 one source(ASA) and destination 1(Foritgate)
and 2nd policy Access-list 20 one source(ASA) and destination 2 (Fortigate).
Then i added these 2 polices on a single Crypto map and called that on the interface and VPN worked successfully.
SInce then i have deployed this in many other sites and it works perfectly.
So instead of using a single Phase 2 use multiple. And same goes for the Security policies on ASA. Try it and let me know if it doesn't work.
As per packet tracer encrypt drops because of Phase 2 VPN is not up and as per below log remote end GW (here in this case fortigate) not have NAT-T enable and ASA has this by default so need to enable NAT-T on fortigate to resolve issue.
6|Jan 23 2014|14:35:26|713172|||||Group = 18.104.22.168, IP = 22.214.171.124, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...