OS Windows Server 2008R2 - all updates are installed.
Forefront Threat Management Gateway 2010 (Version: 7.0.9193.644)
The server is in Canada. Time Zone (UTC-05: 00) Eastern Time (US & Canada)
IPSEC tunnel has already set to 3 different points and works good.
But we have 1 point where the tunnel is not working.
Below the information about this tunnel:
IPSEC Site-to-Site
Options IPSEC
Phase I:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authenticate and generate new keys every 7800 seconds.
Phase II:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Parameters session keys: Shift keys every 3600 seconds.
Use PFS
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication:
Shared key: *****
The error occurs at the FortiGate 200D v5.2.2,build642 side during Phase II. If the encryption algorithm was set as AES-256 we get the error during Phase I.
The Fortigate-200D side team has already had a discussion with the Fortinet support team, as per them firewall at our side is responding with no policy to their Fortinet side. You need to check the issue with Microsoft support team.
I there are anyone who had similar problem or any other information about the compatibility Fortigate and TMG2010?
There are some other details:
Local tunnel endpoint: 184.107.xxx.xxx
Remote tunnel endpoint: 83.111.xxx.xx
Options IKE Phase I:
Mode: basic mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication Method: Pre-secret (******)
The lifetime of the SA: 7800 seconds
Options IKE Phase II:
Mode: ESP-tunnel
Encryption: 3DES
Integrity: SHA256
Secure mail (PFS): ON.
Diffie-Hellman Group: Group 2 (1024 bits)
Re-create the key on time: ON
The lifetime of the SA: 3600 seconds
Re-create the volume key: OFF
IP-subnet "Ex_Fortigate" remote network:
Network = 83.111.xxx.xx / 255.255.255.255
Network = 172.12.13.xx / 255.255.255.255
Network = 172.17.13.xx / 255.255.255.255
IP-subnet "Internal" network:
Network = 10.0.0.0/255.255.0.0
Network = 192.168.xxx.0 / 255.255.255.0
The static pool of IP-VPN into the server subnet "mysrv":
Network = 192.168.xxx.1 / 255.255.255.255
Network = 192.168.xxx.254 / 255.255.255.255
Network = 192.168.xxx.2 / 255.255.255.254
Network = 192.168.xxx.252 / 255.255.255.254
Network = 192.168.xxx.4 / 255.255.255.252
Network = 192.168.xxx.248 / 255.255.255.252
Network = 192.168.xxx.8 / 255.255.255.248
Network = 192.168.xxx.240 / 255.255.255.248
Network = 192.168.xxx.16 / 255.255.255.240
Network = 192.168.xxx.224 / 255.255.255.240
Network = 192.168.xxx.32 / 255.255.255.224
Network = 192.168.xxx.192 / 255.255.255.224
Network = 192.168.xxx.64 / 255.255.255.192
Network = 192.168.xxx.128 / 255.255.255.192
Routable local IP-address:
Network = 10.0.0.0/255.255.0.0
Network = 83.111.xxx.xx / 255.255.255.255
Network = 172.12.13.xx / 255.255.255.255
Network = 172.17.13.xx / 255.255.255.255
Network = 192.168.xxx.0 / 255.255.255.0
Logs TMG2010.
Closing connection MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The connection has been completed properly, correctly implemented the process off with a tripartite confirmation, launched FIN.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
additional information
The number of bytes sent 2048 Number of bytes received: 0
Processing Time: 134000ms original IP-address of the client: 184.107.xxx.xxx
Started Connect MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The operation completed successfully.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
additional information
The number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP-address: 184.107.xxx.xxx
Logs FortiGate 200D v5.2.2,build642
2015-10-08 01:42:44 ike 0:NAME-NAME:NAME-PHASE2: IPsec SA connect 7 83.111.xxx.xx->184.107.xxx.xxx:0
2015-10-08 01:42:44 ike 0:NAME-NAME: ignoring request to establish IPsec SA, no policy configured
2015-10-08 01:42:46 ike shrank heap by 159744 bytes
Forefront Threat Management Gateway 2010 (Version: 7.0.9193.644)
The server is in Canada. Time Zone (UTC-05: 00) Eastern Time (US & Canada)
IPSEC tunnel has already set to 3 different points and works good.
But we have 1 point where the tunnel is not working.
Below the information about this tunnel:
IPSEC Site-to-Site
Options IPSEC
Phase I:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authenticate and generate new keys every 7800 seconds.
Phase II:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Parameters session keys: Shift keys every 3600 seconds.
Use PFS
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication:
Shared key: *****
The error occurs at the FortiGate 200D v5.2.2,build642 side during Phase II. If the encryption algorithm was set as AES-256 we get the error during Phase I.
The Fortigate-200D side team has already had a discussion with the Fortinet support team, as per them firewall at our side is responding with no policy to their Fortinet side. You need to check the issue with Microsoft support team.
I there are anyone who had similar problem or any other information about the compatibility Fortigate and TMG2010?
There are some other details:
Local tunnel endpoint: 184.107.xxx.xxx
Remote tunnel endpoint: 83.111.xxx.xx
Options IKE Phase I:
Mode: basic mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication Method: Pre-secret (******)
The lifetime of the SA: 7800 seconds
Options IKE Phase II:
Mode: ESP-tunnel
Encryption: 3DES
Integrity: SHA256
Secure mail (PFS): ON.
Diffie-Hellman Group: Group 2 (1024 bits)
Re-create the key on time: ON
The lifetime of the SA: 3600 seconds
Re-create the volume key: OFF
IP-subnet "Ex_Fortigate" remote network:
Network = 83.111.xxx.xx / 255.255.255.255
Network = 172.12.13.xx / 255.255.255.255
Network = 172.17.13.xx / 255.255.255.255
IP-subnet "Internal" network:
Network = 10.0.0.0/255.255.0.0
Network = 192.168.xxx.0 / 255.255.255.0
The static pool of IP-VPN into the server subnet "mysrv":
Network = 192.168.xxx.1 / 255.255.255.255
Network = 192.168.xxx.254 / 255.255.255.255
Network = 192.168.xxx.2 / 255.255.255.254
Network = 192.168.xxx.252 / 255.255.255.254
Network = 192.168.xxx.4 / 255.255.255.252
Network = 192.168.xxx.248 / 255.255.255.252
Network = 192.168.xxx.8 / 255.255.255.248
Network = 192.168.xxx.240 / 255.255.255.248
Network = 192.168.xxx.16 / 255.255.255.240
Network = 192.168.xxx.224 / 255.255.255.240
Network = 192.168.xxx.32 / 255.255.255.224
Network = 192.168.xxx.192 / 255.255.255.224
Network = 192.168.xxx.64 / 255.255.255.192
Network = 192.168.xxx.128 / 255.255.255.192
Routable local IP-address:
Network = 10.0.0.0/255.255.0.0
Network = 83.111.xxx.xx / 255.255.255.255
Network = 172.12.13.xx / 255.255.255.255
Network = 172.17.13.xx / 255.255.255.255
Network = 192.168.xxx.0 / 255.255.255.0
Logs TMG2010.
Closing connection MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The connection has been completed properly, correctly implemented the process off with a tripartite confirmation, launched FIN.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
additional information
The number of bytes sent 2048 Number of bytes received: 0
Processing Time: 134000ms original IP-address of the client: 184.107.xxx.xxx
Started Connect MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The operation completed successfully.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
additional information
The number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP-address: 184.107.xxx.xxx
Logs FortiGate 200D v5.2.2,build642
2015-10-08 01:42:44 ike 0:NAME-NAME:NAME-PHASE2: IPsec SA connect 7 83.111.xxx.xx->184.107.xxx.xxx:0
2015-10-08 01:42:44 ike 0:NAME-NAME: ignoring request to establish IPsec SA, no policy configured
2015-10-08 01:42:46 ike shrank heap by 159744 bytes