Pfsense - Fortigate

vramar2000

we are not able to reach remote offce LAN through IPSec site-to-site VPN from pfSense to fortigate firewall.

Please anyone can help me, what kind of rule need to create in pfsense to access remote network.

Regards,
Ramar V

leandroecomp

I have the same problem. I got a scenario with two pfSense firewalls site-to-site with ipSec. Working and well. But when try to config pfSense-to-Fortigate, I don't have the same luck. If have done this challenge, please, post the solution here.

Thanks.  ;D

m4st3rc1p0

i have the same setup and i was able to connect both fortigate and pfsense, can you show your fortigate vpn config and fiewall policy same with your pfsense,

froussy

I'm connected to 9 fortigate (50b, 60, 110c), and get everything working..

As stated, show your settings :)

Frank

syafiq-mcp

@froussy:

I'm connected to 9 fortigate (50b, 60, 110c), and get everything working..

As stated, show your settings :)

Frank

Hi Frank, do you have any working tutorial as you mention above?

Syafiq

secfilter

I have two PfSense box connected to fortigate in IPSec without problem.
(Different proposal used)

Do you need help ?

Regards,
Secf'

Wagner Matos

Senhores,
Há tempos não consigo conectar vpn ipsec com fortigate 311B x pfsense… já tentei muito mas sem sucesso.
alguém pode me ajudar?

Log
"racoon: [GVT_BBtur]: INFO: IPsec-SA request for y.y.y.y queued due to no phase1 found.
racoon: [GVT_BBtur]: INFO: initiate new phase 1 negotiation: x.x.x.x[500]<=>y.y.y.y[500]
racoon: INFO: begin Identity Protection mode."

Wagner Matos

gentlemen,
There are times I can not connect vpn ipsec with FortiGate 311B x pfSense … I tried hard but without success.
can anyone help me?

log
"racoon: [GVT_BBtur]: INFO: IPsec-SA request for yyyy queued due to the phase1 found.
racoon: [GVT_BBtur]: INFO: initiate new phase 1 negotiation: xxxx [500] <=> yyyy [500]
racoon: INFO: begin Identity Protection mode ".

New log …

the edereços "yyyy" is my external address ..

Jan 23 14:46:48 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 23 14:46:48 racoon: DEBUG: got pfkey ACQUIRE message
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable outbound SP found: 192.168.1.0/24[0] 10.61.0.0/18[0] proto=any dir=out.
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe560: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447790: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe560: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe560: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 192.168.1.0/24[0] 10.61.0.0/18[0] proto=any dir=out
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe560: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 10.61.0.0/18[0] 192.168.1.0/24[0] proto=any dir=in.
Jan 23 14:46:48 racoon: [Unknown Gateway/Dynamic]: DEBUG: new acquire 192.168.1.0/24[0] 10.61.0.0/18[0] proto=any dir=out
Jan 23 14:46:48 racoon: [GVT_BBtur]: [y.y.y.y] DEBUG: configuration "y.y.y.y[500]" selected.
Jan 23 14:46:48 racoon: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt='10.61.0.0/18' peer='NULL' client='NULL' id=1
Jan 23 14:46:48 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='10.61.0.0/18', peer='ANY', id=1
Jan 23 14:46:48 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
Jan 23 14:46:48 racoon: DEBUG: cmpid target: '192.168.1.0/24'
Jan 23 14:46:48 racoon: DEBUG: cmpid source: '192.168.1.0/24'
Jan 23 14:46:48 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
Jan 23 14:46:48 racoon: DEBUG: cmpid target: '10.61.0.0/18'
Jan 23 14:46:48 racoon: DEBUG: cmpid source: '10.61.0.0/18'
Jan 23 14:46:48 racoon: DEBUG: selected sainfo: loc='192.168.1.0/24', rmt='10.61.0.0/18', peer='ANY', id=1
Jan 23 14:46:48 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16410:16409)
Jan 23 14:46:48 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
Jan 23 14:46:48 racoon: DEBUG: in post_acquire
Jan 23 14:46:48 racoon: [GVT_BBtur]: [y.y.y.y] DEBUG: configuration "y.y.y.y[500]" selected.
Jan 23 14:46:48 racoon: [GVT_BBtur]: INFO: IPsec-SA request for y.y.y.y queued due to no phase1 found.
Jan 23 14:46:48 racoon: DEBUG: ===
Jan 23 14:46:48 racoon: [GVT_BBtur]: INFO: initiate new phase 1 negotiation: 192.169.1.124[500]<=>y.y.y.y[500]
Jan 23 14:46:48 racoon: INFO: begin Identity Protection mode.
Jan 23 14:46:48 racoon: DEBUG: new cookie: 5c4d9c936e444373
Jan 23 14:46:48 racoon: DEBUG: add payload of len 48, next type 13
Jan 23 14:46:48 racoon: DEBUG: add payload of len 20, next type 13
Jan 23 14:46:48 racoon: DEBUG: add payload of len 16, next type 0
Jan 23 14:46:48 racoon: DEBUG: 124 bytes from 192.169.1.124[500] to y.y.y.y[500]
Jan 23 14:46:48 racoon: DEBUG: sockname 192.169.1.124[500]
Jan 23 14:46:48 racoon: DEBUG: send packet from 192.169.1.124[500]
Jan 23 14:46:48 racoon: DEBUG: send packet to y.y.y.y[500]
Jan 23 14:46:48 racoon: DEBUG: 1 times of 124 bytes message will be sent to y.y.y.y[500]
Jan 23 14:46:48 racoon: DEBUG: 5c4d9c93 6e444373 00000000 00000000 01100200 00000000 0000007c 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jan 23 14:46:48 racoon: DEBUG: resend phase1 packet 5c4d9c936e444373:0000000000000000
Jan 23 14:46:58 racoon: DEBUG: 124 bytes from 192.169.1.124[500] to y.y.y.y[500]
Jan 23 14:46:58 racoon: DEBUG: sockname 192.169.1.124[500]
Jan 23 14:46:58 racoon: DEBUG: send packet from 192.169.1.124[500]
Jan 23 14:46:58 racoon: DEBUG: send packet to 177.135.229.129[500]
Jan 23 14:46:58 racoon: DEBUG: 1 times of 124 bytes message will be sent to y.y.y.y[500]
Jan 23 14:46:58 racoon: DEBUG: 5c4d9c93 6e444373 00000000 00000000 01100200 00000000 0000007c 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jan 23 14:46:58 racoon: DEBUG: resend phase1 packet 5c4d9c936e444373:0000000000000000

gerdesj

You don't mention versions of the Fortigate but if it is anything like the ones I have to connect to, you need to also put a route in that links the VPN tunnel to the routing table (the tunnels appear as routing interfaces).

Once the P1/P2 is set up on the Forti, go to the routing section.  Add a route for the remote network(s) and select the name of the tunnel.  On the pfSense side you do not have to do this.

Cheers
Jon

valnar

And also add a firewall rule that allows traffic through that VPN interface.  So 3 things that need to be done on a Fortigate:

VPN
Routes
FW rules