I'm setting up a VPN tunnel for a Fortinet - FortiWifi-60B. Their ISP only uses PPPoA so I believe I need to setup an L2TP VPN tunnel (Could be wrong, I'm used to static IPs) using an FQDN resolving to a DynDNS host. In Fortinet's doc it says to use the following doc before setting up an L2TP Tunnel to their firewall.
Does anyone know if setting the ProhibitIpSec key to 1 causes problems with the standard IPSec tunnels or does it affect only the L2TP tunnels? Is there a better way?
Did you get an IPSEC VPN working with the Fortinet? I have been trying. I get close but am not successful. The Fortinet 60 thinks it has a good VPN connection. The ISA server doesn't. I'm using certificates and the oakley logs looks good. I'm not sure why it's not working. Anyone have any suggestions?
No, I have not. The ISP is... "inexperienced", so I have to wait for them to get their Internet working correctly before we can even try getting the connection setup. Once that's done I'm going to try it on a test server so I don't risk breaking the existing IPsec tunnels.
From what I've seen with Fortinet so far they're not very good. I'd go back to Cisco before endorsing them. The one we've been working with at the other end showed the same thing (being connected when it's not) even though it didn't even have the outside address (long story).
I was able to get a site to site IPSEC VPN working with the Fortigate 60 and ISA. I'm still testing but everything seems to be working great.
The sticking point is the phase 2 negotiations. The subnets need to be setup in the Fortigate and it takes some work on the ISA side using the IPSEC Monitor.
Once I got that figured out and got around some really stupid mistakes, everything seems to be working great. Just FYI.
(Note: I had to post this twice. It errored out the first time. Hopefully it only shows up once)
One note: I did not use a pre-shared key. I used certificates. There's another post about enabling a setting to be able to use a pre-shared key in ISA. I didn't use a pre-shared key because I am using certificates for individuals connecting by VPN. I didn't want to make a change to ISA that would affect them.
Another note before I forget. I had a problem because I had some static routes on my ISA server that weren't correct (It's not that they weren't correct, but overlapped the addresses I was using for the local subnet behind the fortigate.) I would get a VPN tunnel but no traffic would cross.
What I had to do on my own: The key was setting up the advanced section of phase 2 configuration. Under Quick Mode Selector you have to enter the Source address and destination address. The ports and protocols can remain 0.
The source address has to be you internal subnet behind your Fortigate. for example: 192.168.81.0 /24. Your Desination address has to be the subnet behind your ISA server for example: 172.16.40.0/22.
You have to make sure these match your auto created IPSEC Policies. You have to open the MMC snapin, ipsec monitor and look at your quick mode policies. If you can't find ones that match what you entered into the fortigate then you won't be able to connect and you should see that in your oakley log (Google that to see how to turn that on in Windows).
Once I had the source and dest address ranges matching my Windows policies, everything worked. (I also had to have the ISA firewall rules working.) In my case, since I had several internal subnet behind ISA, not in a continuous range (some weren't being used), I had to create a separate phase 2 tunnel for each subnet. I plan to rearrange my internal subnets so that I only need one tunnel, but I haven't done that yet. I hope this helps. Rice
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> ProhibitIpSec for L2TP and IPSec tunnels 
ProhibitIpSec for L2TP and IPSec tunnels - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread