a step to step guide for setting up an IPSEC VPN tunnel between Sonicwall TZ200 and fortigate 5.0
a brief outline,
I worked on building a tunnel this week.
I am configuring the sonicwall at a customer's premise, Christ is configuring the fortigate on the cloud-host side.
we finally got the VPN showing up as established. but the nightmare begins as we can't ping each other.
asked the circuit provider, they said they are not doing any filtering.
scratch my head, squeeze my brain for a couple of days for the dilemma.
tried again troubleshooting the issue with Christ over the phone
change main mode to aggressive mode , then back again, in aggressive mode, the sonciwall logs show the remote peer doesn't support NAT traversal
Christ ticked the enable NAT on the fortigate
still no luck,
I asked Christ to put in the peer id which is optional on the fortigate, and use the local id of the external interface (this may not matter)
then lots of messages showed up in the sonicwall complaining no such policy for FQDN id: xxxx.xxxx.xxxx.xxxx
Christ reminded me FQDN is domain name,
alas, I seemed to see the light
the sonicwall local ike id / remote ike id , I put in as IP address by default, while fortigate send out the remote id as FQDN.
change the remote ike id to domain names on the sonicwall, tracert / ping returned 22ms.
eventually nailed it
so in summary,
aggressive mode -- this mode shows more messages about the tunnell, more clues about an issue
local ID or local IKE ID on the fortigate /sonicwall
remote ID / remote IKE ID on the fortinet and dell firewalls - make sure the type is matching
a brief outline,
I worked on building a tunnel this week.
I am configuring the sonicwall at a customer's premise, Christ is configuring the fortigate on the cloud-host side.
we finally got the VPN showing up as established. but the nightmare begins as we can't ping each other.
asked the circuit provider, they said they are not doing any filtering.
scratch my head, squeeze my brain for a couple of days for the dilemma.
tried again troubleshooting the issue with Christ over the phone
change main mode to aggressive mode , then back again, in aggressive mode, the sonciwall logs show the remote peer doesn't support NAT traversal
Christ ticked the enable NAT on the fortigate
still no luck,
I asked Christ to put in the peer id which is optional on the fortigate, and use the local id of the external interface (this may not matter)
then lots of messages showed up in the sonicwall complaining no such policy for FQDN id: xxxx.xxxx.xxxx.xxxx
Christ reminded me FQDN is domain name,
alas, I seemed to see the light
the sonicwall local ike id / remote ike id , I put in as IP address by default, while fortigate send out the remote id as FQDN.
change the remote ike id to domain names on the sonicwall, tracert / ping returned 22ms.
eventually nailed it
so in summary,
aggressive mode -- this mode shows more messages about the tunnell, more clues about an issue
local ID or local IKE ID on the fortigate /sonicwall
remote ID / remote IKE ID on the fortinet and dell firewalls - make sure the type is matching
Your post was helpful to prepare a complete guide with latest FortiOS and SonicOS, the guide is here, http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn
ReplyDeleteMost free VPN services do not have much to offer, and don’t have a lot of features Using a free VPN is acceptable as long as you are looking to get the job done and don’t mind the limitations that tag alongtop10-bestvpn
ReplyDelete