IPSec CSR1000v Fortigate600D

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
lukis
member
member
Posty: 46
Rejestracja: 30 lip 2014, 12:27

IPSec CSR1000v Fortigate600D

#1

#1 Post autor: lukis »

Witajcie,

mam problem z zestawieniem tunelu pomiędzy naszym Fortigate a urządzeniem klienta (CSR1000v). Niestety kontakt z klientem jest utrudniony, żeby nie powiedzieć, że żaden. Nie mam ani logów ani debugu z drugiej strony i mieć nie będę. Wg mnie problemem jest błędny PSK choć klient twierdzi, że jest poprawny. Nie znam CSR więc nie jestem w stanie aż tak zweryfikować jego konfiguracji, więc prośba o pomoc.
Poniżej konfig z cisco i forti:

Cisco CSR
crypto isakmp policy 110
encr aes 256
hash sha256
group 14
====================================================================
crypto ipsec transform-set aes_sha_256 esp-aes 256 esp-sha256-hmac
=====================================================================
crypto map csrmap 44 ipsec-isakmp
description xxx
set peer 195.x.x.x
set security-association lifetime seconds 28800
set transform-set aes_sha_256
set pfs group14
match address xxxACL
=====================================================================
ip access-list extended xxxACL
permit ip host 52.x.x.x host 192.168.40.50
permit ip host 192.168.40.50 host 52.x.x.x
=====================================================================
crypto isakmp key 921cc54c99cf3a76db5ec804f2477864907400c7ee2c1cae24ed33800391032e address 195.x.x.x
Fortigate
show full vpn ipsec phase1-interface xxx
config vpn ipsec phase1-interface
edit "xxx"
set type static
set interface "port10"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes256-sha256 aes128-sha256 aes256-sha1 aes128-sha1
set exchange-interface-ip disable
set localid ''
set localid-type keyid
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal disable
set remote-gw 54.x.x.x
set monitor ''
set add-gw-route disable
set psksecret ENC XOPE8REqrbp+sCP7/dR7KA9+WkiPQNRPb7/ADmlCEaEMgisrGJ0/XkAQEGXwXAiHtLdwIV39GXcql+30ZJTO9OWV8zlsrdpgTqermQWitIWm3mmXOMHYf05q4vLj7OMkGsdPmCvPDnTE6+IYuooX1I85thzkoXt0pcDDyKaum6G6o2nYumb5WuEd4A/yAbq0Demlkw==
set auto-negotiate enable
next
end
show full vpn ipsec phase2-interface xxx1
config vpn ipsec phase2-interface
edit "Gasco1"
set phase1name "xxx"
set proposal aes256-sha256
set pfs enable
set dhgrp 14
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type ip
set src-port 0
set dst-addr-type ip
set dst-port 0
set keylifeseconds 43200
set src-start-ip 192.168.40.50
set dst-start-ip 52.x.x.x
next
end
Po stronie Forti wygląda to tak:
Gxxx: schedule auto-negotiate
Line 1224: ike 0:Gxxx:792912: initiator: main mode is sending 1st message...
Line 1225: ike 0:Gxxx:792912: cookie 4e54b8c55cb37b6d/0000000000000000
Line 1226: ike 0:Gxxx:792912: out 4E54B8C55CB37B6D00000000000000000110020000000000000000BC0D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D00001412F5F28C457168A9702D9FE274CC02040D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE0005045D
Line 1227: ike 0:Gxxx:792912: sent IKE msg (ident_i1send): 195.x.x.x:500->54.x.x.x:500, len=188, id=4e54b8c55cb37b6d/0000000000000000
Line 1231: ike 0:Gxxx:792912: ignoring unsupported INFORMATIONAL message 0.
Line 1232: ike 0:Gxxx:792912: out 4E54B8C55CB37B6D00000000000000000110020000000000000000BC0D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D00001412F5F28C457168A9702D9FE274CC02040D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE0005045D
Line 1233: ike 0:Gxxx:792912: sent IKE msg (P1_RETRANSMIT): 195.x.x.x:500->54.x.x.x:500, len=188, id=4e54b8c55cb37b6d/0000000000000000
Line 1240: ike 0:Gxxx:792912: out 4E54B8C55CB37B6D00000000000000000110020000000000000000BC0D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D00001412F5F28C457168A9702D9FE274CC02040D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE0005045D
Line 1241: ike 0:Gxxx:792912: sent IKE msg (P1_RETRANSMIT): 195.x.x.x:500->54.x.x.x:500, len=188, id=4e54b8c55cb37b6d/0000000000000000
Line 1246: ike 0:Gxxx:792912: negotiation timeout, deleting
Line 1247: ike 0:Gxxx: connection expiring due to phase1 down
Czy po stronie cisco nie powinno być jeszcze "authentication pre-share" w "crypto isakmp policy 110"


Z góry dziękuję za zainteresowanie tematem.

Maciek_JG
member
member
Posty: 48
Rejestracja: 14 sty 2011, 16:57
Lokalizacja: WRO

Re: IPSec CSR1000v Fortigate600D

#2

#2 Post autor: Maciek_JG »

Na pierwszy rzut oka wygląda, że brakuje tego o czym napisałeś :)

poprawne zestawienie tunelu ISAKMP (inaczej Phase1/Main Mode) wymaga konfiguracji następujacych parametrów i muszą się zgadzać po obu stronach (wyjątkiem jest chyba tylko niezgodność parametru L - lifetime)

H - hashing
A - authentication
G - group (DH)
L - lifetime
E - encryption

lukis
member
member
Posty: 46
Rejestracja: 30 lip 2014, 12:27

Re: IPSec CSR1000v Fortigate600D

#3

#3 Post autor: lukis »

Tak tego brakowało, jakoś na nich tę zmianę wymusiłem... ale dziś rano wrócili do starej konfiguraji :) Dzięki!

ODPOWIEDZ