Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN issues - Cisco router to Fortinet

Gents,

 

I have one main Cisco router 2921 and many Fortinet routers that need to connect via VPN (please see below).

I have programmed it as much as I can, but the tunnels do not seem to come up.  I've used the following resources:

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dynamic-endpoint.html  (This for the Cisco router)

http://ciscofortigatevpn.blogspot.ca/2013/04/fortigate-two-phases-cisco-router.html (This for the Fortinet)

 

 

But no luck.  Where am I going wrong?

 

=====================================

MAIN ROUTER CONFIG

=====================================

!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password **********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
aaa session-id common
!
!
clock timezone gmt 0
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.49
!
ip dhcp pool TechNet
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   dns-server 192.168.100.1
   domain-name ********
   option 150 ip 192.168.100.1
!
!
multilink bundle-name authenticated
!
!
username ********* privilege 15 secret 5 **********
!
redundancy
!
!
crypto isakmp policy 1                                                      <------ Shared by both VPN types (mobile users and Fortinets)
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********* address 0.0.0.0 0.0.0.0           <----- for remote fortinet
!
crypto isakmp client configuration group ********               <------this is for the mobile laptop users who vpn in (working correctly)
 key ************
 dns 192.168.100.1
 pool VPN-Pool
 acl 120
 max-users 10
crypto isakmp profile vpn-ike-profile-1                                <------this is for the mobile laptop users who vpn in (working correctly)
   description This VPN connection is for Tech User Laptops
   match identity group **********
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac     <------shared by both VPN types (mobile users and Fortinets)
!
crypto ipsec profile VPN-Profile-1                                        <------this is for the mobile laptop users who vpn in (working correctly)
 description This is for Tech User Laptops
 set transform-set encrypt-method-1
!
!
crypto dynamic-map hq-vpn 10                                                    <----- for remote fortinet  #1
 description This is for remote Fortinet 1 router
 set security-association lifetime seconds 86400
 set transform-set encrypt-method-1
 match address VPN1-Fortinet
crypto dynamic-map hq-vpn 11                                                    <----- for remote fortinet # 2
 description This is for remote Fortinet 2 router
 set security-association lifetime seconds 86400
 set transform-set encrypt-method-1
 match address VPN2-Fortinet
!
!
crypto map VPN-FORTINET 1 ipsec-isakmp dynamic hq-vpn        <----- for remote fortinet
!
!
interface GigabitEthernet0/0
 description DSL Interface to ISP
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 !
!
interface GigabitEthernet0/1
 description Inside Interface
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
interface Virtual-Template2 type tunnel                               <------this is for the mobile laptop users who vpn in (working correctly)
 description This is for Tech User Laptops
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
 !
!
interface Dialer0
  ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp pap sent-username ****** password 0 *******
 crypto map VPN-FORTINET                                              <----- for remote fortinet
 !
!
ip local pool VPN-Pool 192.168.110.20 192.168.110.50     <------this is for the mobile laptop users who vpn in (working correctly)
ip forward-protocol nd
!
ip nat inside source list 10 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended VPN1-Fortinet                                  <----- for remote fortinet #1
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN2-Fortinet                                  <----- for remote fortinet #2
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 110 permit ip any any
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255   <------this is for the mobile laptop users who vpn in (working correctly)
access-list 120 permit ip 192.168.110.0 0.0.0.255 192.168.100.0 0.0.0.255   <------this is for the mobile laptop users who vpn in (working correctly)
!
!
control-plane
 !
!
end

 

Everyone's tags (3)
822
Views
0
Helpful
0
Replies
CreatePlease to create content