Fortigate and PFSENSE...
aniodon last edited by aniodon
We are trying to create an ipsec tunnel between a pfsense box (latest version) and a fortigate product.
We have tried a lot of settings, with no luck, we have never got the P1 up.
On the pfsense side, nothing really complicated : a pfsense in ha / carp. We have 5 other ipsec up with other clients where we had no particular issue.
On the fortigate side, they have :
- a first gateway in a first datacenter. I connect my ipsec to this ip (called : IP-FORTI-P1A).
- They have a NAT form the first ip IP-FORTI-P1A to a second datacenter ip : IP-FORTI-P1B
- on this second datacenter IP-FORTI-P1B , we have the VPN tunnel where i actually connect through nat.
We tried :
- Multi checked the psk, use something small and easy.... 1234 and so on...
- Change ike to V2, both side
- Change to any encryption settings, both side
- Change the « LocalId » to set their IP-FORTI-P1A as id, forti side
- Disable P2, pfsense side
- With or without NAT transversal on forti side
- Main or aggressive mode on both side
- DPD on / off…
With no luck.
On IkeV2 we get a MAC mismatch, with any ID settings.
You will find attached :
- Topology.jpg : a summary of the topology (see below)
- CONF-PFSENSE-StrongSwan.txt : my settings : 1_1532526472136_CONF-PFSENSE-StrongSwan.txt
- CONF-FORTIGATE-ON_DCE.txt : their settings : 0_1532526472135_CONF-FORTIGATE-ON_DCE.txt
- LOGS_FORTI_DTO.txt : their logs on first datacenter : 3_1532526472136_LOGS_FORTI_DTO.txt
- LOGS_FORTI_DCE.txt : their logs on second datacenter : 2_1532526472136_LOGS_FORTI_DCE.txt
- LOGS_PFSENSE.txt : my logs 4_1532526472136_LOGS_PFSENSE.txt
Has anyone some directions to point me to ?
Thanks in advance…
gersonofstone last edited by
i see your log and i think that problem with Phase 1 Pre-Shared Key Mismatch,
Do you can check the pre-shared?
aniodon last edited by
Hello and thanks for your answer.
In fact, we saw some posts on the net with this log, pointing to a psk mismatch.
We made a lot (LOT) of tests with a lot of different PSK, the P1 never got up.
we tried some '1234', 'test', and so on, psk's ...