Posts Tagged ‘Fortinet’

Below changes were added.

  • Added TCP 5060 for SIP(As sometimes this can be TCP/UDP) for all WANS
  • RTP port range 6200 – 6214 added for Inbound for all WANS
  • SIP domains allowed for Inbound for all WANS

SIP ALG turn off – Need to run below commands if it’s required. Best to test the phones after above changes.

 

en the Fortigate CLI from the dashboard and enter the following commands:

  • config system settings
  • set sip-helper disable
  • set sip-nat-trace disable
  • reboot the device

Re-open the CLI and enter the following commands:

  • config system session-helper
  • show    (locate the SIP entry, usually 12, but can vary)
  • delete 12    (or the number that you identified from the previous command)

Disable RTP processing as follows:

  • config voip profile
  • edit default
  • config sip
  • set rtp disable

 

 

config system settings
set default-voip-alg-mode kernel-helper-based
end

Important is that you need to configure it on all the VDOM`s
 
A reboot is not necessary, Clearing the sessions worked for us:

diagnose sys session filter
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter dport 2000
diagnose sys session clear

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

A VPN for a new site had been working fine , however disconnected and would not stay Active

Enabling Debug

diagnose debug application ike -1
diagnose debug enable


Disable Debug
diagnose debug reset
diagnose debug disable
Produced the below sort of errors : 

ike 0:VPN TTN:16877: ignoring unencrypted PAYLOAD-MALFORMED message from 41.224.14.131:500.
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:0
 ike 0:VPN TTN:VPN TTN P2: using existing connection
 ike 0:VPN TTN:VPN TTN P2: config found
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:500 negotiating
 ike 0:VPN TTN:16877:VPN TTN P2:17015: ISAKMP SA still negotiating, queuing quick-mode request
 ike 0:VPN TTN:16877: out 474981673AAFACE9D0216ED361A1081D05100201000000000000006C338C4B9F667E7DC90860B2541F716F185CF7E6B42813D02B34C11EFD6B7530644B6D91E5685CA6D1609DFDE30FEE4108D130782677BC3B12A27E544C7E11D2EA89BB51401C1919352C6A93D5CBEB590B
 ike 0:VPN TTN:16877: sent IKE msg (P1_RETRANSMIT): 41.224.244.77:500->41.224.14.131:500, len=108, id=474981673aaface9/d0216ed361a1081d
 ike 0: comes 41.224.14.131:500->41.224.244.77:500,ifindex=50....
 ike 0: IKEv1 exchange=Identity Protection id=474981673aaface9/d0216ed361a1081d len=256
 ike 0: in 474981673AAFACE9D0216ED361A1081D0410020000000000000001000A00008408413E837E46626B7A07879E99EC6B73BF71A99C00F3AF2A0B68B526FD2D3EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message
EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message


Turns out the remote site did not have a static IP Address from it's ISP , we need to get this set from the ISP and change the IP's each time
VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who SSL-VPN into the office need to route to a different subnet which is connected via an IPSEC VPN

You should already have Address Setup for your SSL VPN Users and Address for Remote Site

Add the below polices

Policy :

Incoming Interface <VPN interface to Remote Site>
Source Address VPN all
Outgoing Interface ssl.root
Destination Address SSLVPN_TUNNEL_ADDR1
Schedule Always
Service all
Action Accept

Policy :

Incoming Interface ssl.root
Source Address VPN SSLVPN_TUNNEL_ADDR1
Outgoing Interface <VPN interface to Remote Site>
Destination Address all
Schedule Always
Service all
Action Accept
Enable NAT
Use Dynamic IP Pool and Create a pool (<IP of Fortigate>-<IP of Fortigate>).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who could connect where no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Compatibility of 3g/4G usb modems can be found here : 

Configuring Modems on the FortiGate

Always a time when an ISP doesn’t deliver internet to premises so the office is without Internet. Thanks to 4g connections , you can pipe internet out through that however most VPN’s need static IP’s which you don’t get with 4g / 3g cards. Fortinet provides a DDNS service for this problem per : http://video.fortinet.com/video/99/site-to-site-ipsec-vpn-setup-with-dynamic-interface , however some providers assign IP’s on their private network ( Telstra ) so you need to put the VPN in aggressive mode and authenticate with Passkey 

here is the config to get the VPN working on a Fortinet Firewall.

See here how to get the Modem working : http://pariswells.com/blog/fixes/fortinet-60d-model-with-telstra-sierra-wireless-320u

Remote Office VPN Config

config vpn ipsec phase1
    edit "VPN"
        set interface "modem"
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw **IP-Address of remote-gw**
        set psksecret ENC ***PASSKEY***
    next
end
config vpn ipsec phase2
    edit "192.168.10.0-192.168.11.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set keepalive enable
        set dhgrp 2
        set keylifeseconds 3600
        set src-subnet 192.168.16.0 255.255.255.0
        set dst-subnet 192.168.18.0 255.255.255.0
    next
end

 

Remote Office Firewall Config

config firewall policy
    edit 8
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "192.168.16.0/24"
        set dstaddr "192.168.18.0/24"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"
    next
    edit 4
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 5
        set srcintf "switch"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 6
        set srcintf "switch"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 7
        set srcintf "wan1"
        set dstintf "switch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

 

 

Main Office

edit "VPN"
        set vdom "root"
        set type tunnel
        set snmp-index 25
        set interface "*INTERNET**"
    nex
 
 
 
    edit "VPN"
        set type dynamic
        set interface "*INTERNET**"
        set keylife 28800
        set proposal aes128-sha1
        set comments "VPN"
        set dhgrp 2
        set psksecret ENC **passphrase**
    next
 
 
 
 
    edit "192.168.16.0-192.168.18.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set dhgrp 14 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.18.0 255.255.255.0
        set dst-subnet 192.168.16.0 255.255.255.0
    next
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

316NYS8Bn9L[1]USB Compatibility can be found here http://docs.fortinet.com/uploaded/files/2440/fortigate-modem-compatibility-matrix.pdf

A fortinet device does not recognise a Sierra Wireless 320U IMEI , you will need the following config

config system lte-modem
    set status enable
 
    set apn “Telstra.internet”
 
 
config system modem
    set status enable
    set auto-dial enable
    set connect-timeout 30
    set wireless-port 4
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set extra-init2 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set altmode disable
end
config system 3g-modem custom
    edit 1
        set vendor "Sierra Wireless"
        set model "320U"
        set vendor-id 1199
        set product-id 68aa
    next

 

Enable 4G/LTE:

#config system global
#set usb-lte enable
#end

Troubleshooting:

#diagnose sys modem detect wireless
#diagnose sys modem external-modem

 

Create a Policy allowing outbound through the Modem

Change the static route to 0.0.0.0 via Modem

Make sure DNS is set on DHCP

VN:F [1.9.22_1171]
Rating: 8.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)