Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fortigate and PFSENSE...

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aniodon
      last edited by aniodon

      Hello everyone!

      We are trying to create an ipsec tunnel between a pfsense box (latest version) and a fortigate product.
      We have tried a lot of settings, with no luck, we have never got the P1 up.

      On the pfsense side, nothing really complicated : a pfsense in ha / carp. We have 5 other ipsec up with other clients where we had no particular issue.
      On the fortigate side, they have :

      • a first gateway in a first datacenter. I connect my ipsec to this ip (called : IP-FORTI-P1A).
      • They have a NAT form the first ip IP-FORTI-P1A to a second datacenter ip : IP-FORTI-P1B
      • on this second datacenter IP-FORTI-P1B , we have the VPN tunnel where i actually connect through nat.

      We tried :

      • Multi checked the psk, use something small and easy.... 1234 and so on...
      • Change ike to V2, both side
      • Change to any encryption settings, both side
      • Change the « LocalId » to set their IP-FORTI-P1A as id, forti side
      • Disable P2, pfsense side
      • With or without NAT transversal on forti side
      • Main or aggressive mode on both side
      • DPD on / off…
        With no luck.

      On IkeV2 we get a MAC mismatch, with any ID settings.

      You will find attached :

      • Topology.jpg : a summary of the topology (see below)
      • CONF-PFSENSE-StrongSwan.txt : my settings : 1_1532526472136_CONF-PFSENSE-StrongSwan.txt
      • CONF-FORTIGATE-ON_DCE.txt : their settings : 0_1532526472135_CONF-FORTIGATE-ON_DCE.txt
      • LOGS_FORTI_DTO.txt : their logs on first datacenter : 3_1532526472136_LOGS_FORTI_DTO.txt
      • LOGS_FORTI_DCE.txt : their logs on second datacenter : 2_1532526472136_LOGS_FORTI_DCE.txt
      • LOGS_PFSENSE.txt : my logs 4_1532526472136_LOGS_PFSENSE.txt

      Has anyone some directions to point me to ?

      Thanks in advance…

      olivier

      5_1532526472136_topology.JPG

      1 Reply Last reply Reply Quote 0
      • gersonofstoneG
        gersonofstone
        last edited by

        i see your log and i think that problem with Phase 1 Pre-Shared Key Mismatch,

        Do you can check the pre-shared?

        look this

        https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html

        Papu!! :V

        1 Reply Last reply Reply Quote 0
        • A
          aniodon
          last edited by

          Hello and thanks for your answer.

          In fact, we saw some posts on the net with this log, pointing to a psk mismatch.
          We made a lot (LOT) of tests with a lot of different PSK, the P1 never got up.

          we tried some '1234', 'test', and so on, psk's ...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.