Fortigate and PFSENSE...



  • Hello everyone!

    We are trying to create an ipsec tunnel between a pfsense box (latest version) and a fortigate product.
    We have tried a lot of settings, with no luck, we have never got the P1 up.

    On the pfsense side, nothing really complicated : a pfsense in ha / carp. We have 5 other ipsec up with other clients where we had no particular issue.
    On the fortigate side, they have :

    • a first gateway in a first datacenter. I connect my ipsec to this ip (called : IP-FORTI-P1A).
    • They have a NAT form the first ip IP-FORTI-P1A to a second datacenter ip : IP-FORTI-P1B
    • on this second datacenter IP-FORTI-P1B , we have the VPN tunnel where i actually connect through nat.

    We tried :

    • Multi checked the psk, use something small and easy.... 1234 and so on...
    • Change ike to V2, both side
    • Change to any encryption settings, both side
    • Change the « LocalId » to set their IP-FORTI-P1A as id, forti side
    • Disable P2, pfsense side
    • With or without NAT transversal on forti side
    • Main or aggressive mode on both side
    • DPD on / off…
      With no luck.

    On IkeV2 we get a MAC mismatch, with any ID settings.

    You will find attached :

    Has anyone some directions to point me to ?

    Thanks in advance…

    olivier

    5_1532526472136_topology.JPG



  • i see your log and i think that problem with Phase 1 Pre-Shared Key Mismatch,

    Do you can check the pre-shared?

    look this

    https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html



  • Hello and thanks for your answer.

    In fact, we saw some posts on the net with this log, pointing to a psk mismatch.
    We made a lot (LOT) of tests with a lot of different PSK, the P1 never got up.

    we tried some '1234', 'test', and so on, psk's ...