IPSEC VPN Fortigate 100F to Multiple Meraki Sites

Jokerrj
Just browsing

IPSEC VPN Fortigate 100F to Multiple Meraki Sites

We Have a new site behind a FortiGate 100F.

This is set up with our organization to connect to 4 different sites. 

 

For each site we set up a different VPN inn FortiGate.

We got the tunnels up (Phase one and 2) but they eventually go down and sometimes come back up other don't. 

 

From the Meraki side. I've changed Encryption and Authentication to many combinations.

Outcome is the same. 

 

 

From the FortiGate side we tried 

DPD Disabled. 

Autokey Keepalive disabled.

 

 

 

This is Phase 1 and 2 on the Meraki Side. 

Phase1 MerakiPhase1 Meraki

 

 

This is Phase 1 and 2 on FortiGate.

 

Screenshot 2022-12-05 180140.pngScreenshot 2022-12-05 180205.pngScreenshot 2022-12-05 180224.pngScreenshot 2022-12-05 180247.pngScreenshot 2022-12-05 180527.png

 

 

 

 

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity. This connectivity is currently available on devices that meet certain firmware requirements, noted below in the section, Supported Firmware/Models.

 

 

Prerequisites for enabling FIPS

In order to enable FIPS mode, please ensure that the settings below in your Dashboard are in compliance with FIPS Standards:

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

     

     

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Jokerrj
Just browsing

I'm sorry but... What does it have to do with the Issue?

alemabrahao
Kind of a big deal
Kind of a big deal

Keep in mind that in the future it can be a problem, I have to reconfigure some tunnels because of FIPS mode, so I suggest you change your settings as recommended, maybe It can help. But It's your choice, I'm just trying to help you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Jokerrj
Just browsing

Got it. Thanks

PhilipDAth
Kind of a big deal
Kind of a big deal

There can often be issues if multiple subnets exist in the encryption domain.  Is this the case - and if it is - is there any chance that only one combination of the subnets work at a time?

 

 

Jokerrj
Just browsing

Not Really. I often got multiple subnets working at the same time. For example now. I have a RDP session open with one remote subnet and ping runing to others.  

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know if this is your issue - but this article talks about it.

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/666100/ipsec-vpn-between-a-fortigate-and... 

Jokerrj
Just browsing

It doesn't apply to my issue. Also, the Firmware on the Fortigate is 7.2.x

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels