Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN remote phone and Fortigate FG60
- Thread starter jcosgrove
- Start date
No and it is not supported
Don't spend a day trying and the netgear again
ACA - Implement IP Office
ACS - Implement IP Office
ACA - Voice Services Management
______________
Women and cats can do as they please and men and dogs should relax and get used to the idea!
Don't spend a day trying and the netgear again
ACA - Implement IP Office
ACS - Implement IP Office
ACA - Voice Services Management
______________
Women and cats can do as they please and men and dogs should relax and get used to the idea!
Joe, just for reference and for the benefit of others, here is the configuration I used to setup the 5610 SW with the Fortigate FG60:
VPN Profile Generic PSK
Server XXX.XXX.XXX.XXX
IKE ID [I used "vpn", but you can set this as "any" in the Fortigate and then put anything you like]
PSK – (Pre Shared Key) ********
IKE Parameters
IKE ID Type FQDN
Diffie Hellman Group 2
Encryption ALG Any
Authentication ALG Any
IKE Xchange Mode Aggressive
IKE Config Mode Disabled
XAUTH Disable
Cert Expiry Check Disabled
Cert DN Check Disabled
IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2
VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500 – 4500
Protected Nets
Virtual IP 192.168.0.210
Remote Net #1 192.168.0.0/24
Remote Net #2
Remote Net #3
Copy TOS No
Connectivity Check Always
QTEST Disabled
I configured a dialup Auto IKE VPN tunnel within the Fortigate with the settings above. As a point of reference, it appears the 5610 doesn't like using Diffe Hillman Group 5. As with other firewalls, changing to DH Group 2 fixed things right up.
VPN Profile Generic PSK
Server XXX.XXX.XXX.XXX
IKE ID [I used "vpn", but you can set this as "any" in the Fortigate and then put anything you like]
PSK – (Pre Shared Key) ********
IKE Parameters
IKE ID Type FQDN
Diffie Hellman Group 2
Encryption ALG Any
Authentication ALG Any
IKE Xchange Mode Aggressive
IKE Config Mode Disabled
XAUTH Disable
Cert Expiry Check Disabled
Cert DN Check Disabled
IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2
VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500 – 4500
Protected Nets
Virtual IP 192.168.0.210
Remote Net #1 192.168.0.0/24
Remote Net #2
Remote Net #3
Copy TOS No
Connectivity Check Always
QTEST Disabled
I configured a dialup Auto IKE VPN tunnel within the Fortigate with the settings above. As a point of reference, it appears the 5610 doesn't like using Diffe Hillman Group 5. As with other firewalls, changing to DH Group 2 fixed things right up.
Here are the settings for the Fortigate FG60, although this should work on any Fortigate unit:
On the FG60:
Phase 1
"VPNPHONE"
set type dynamic
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode aggressive
set add-gw-route disable
set distance 1
set priority 0
set psksecret ENC ****************************************
set dpd-retrycount 3
set dpd-retryinterval 5
set keepalive 10
next
Phase 2
"VPNPHONE"
set auto-negotiate enable
set dhgrp 2
set dst-addr-type subnet
set dst-port 0
set keepalive enable
set keylife-type seconds
set pfs enable
set phase1name "VPNPHONE"
set proposal 3des-sha1 3des-md5
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set use-natip enable
set dhcp-ipsec enable
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
As a point of reference, it appears the 5610 doesn't like using Diffe Hillman Group 5. As with other firewalls and the 5610, changing to DH Group 2 fixed things right up. Hope this helps some folks!
On the FG60:
Phase 1
"VPNPHONE"
set type dynamic
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode aggressive
set add-gw-route disable
set distance 1
set priority 0
set psksecret ENC ****************************************
set dpd-retrycount 3
set dpd-retryinterval 5
set keepalive 10
next
Phase 2
"VPNPHONE"
set auto-negotiate enable
set dhgrp 2
set dst-addr-type subnet
set dst-port 0
set keepalive enable
set keylife-type seconds
set pfs enable
set phase1name "VPNPHONE"
set proposal 3des-sha1 3des-md5
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set use-natip enable
set dhcp-ipsec enable
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
As a point of reference, it appears the 5610 doesn't like using Diffe Hillman Group 5. As with other firewalls and the 5610, changing to DH Group 2 fixed things right up. Hope this helps some folks!
As a further followup, although DHCP-IPSEC is enabled on the Fortigate, I was not able to obtain a DHCP lease on the 5610 from the Fortigate. I know DHCP-IPSEC works on the Fortigate, because my Forticlient VPN clients are able to obtain addresses, so I think it has something to do with the IPSEC negotiation. Setting a static VIP on the phone within the range of the VPN IP Pool worked just fine.
- Status
Similar threads
- Locked
- Question