VMX100 in AWS to Fortigate in AWS Ipsec

Solved
Netwow
Building a reputation

VMX100 in AWS to Fortigate in AWS Ipsec

We have a need to build an Ipsec tunnel from a Fortigate in AWS to a VMX100 in AWS. When initially configured we were able to establish Phase 1 . Phase to on the fortigate always showed as failed. We involved Meraki support to verify Phase 2 because the dashboard stated the tunnel was up. Phase 2 was never established. After troubleshooting (changing the psk , bouncing the tunnel, etc. ) Phase 1 will not establish. Has anyone had any luck with similar cloud security appliances ? 

1 Accepted Solution
Netwow
Building a reputation

After spending time with Fortigate and Meraki today we were able to achieve tunnel connectivity. There were multiple issues so I thought it would be a good idea to post them in case anyone else ever comes across this same issue. 

 

First, when establishing a tunnel to a non-Fortigate vpn peer, object groups/names are advised against. Using the subnet is the way to go . 

 

Second, Fortigate side had to turn off Nat Traversal (I found this odd but it worked)

 

Third, MTU had to be adjusted due to the Fortigate sending Jumbo frames. 

View solution in original post

2 Replies 2
JimmyPhelan
Getting noticed

What version of IKE are you expecting to use on your tunnel? Is there any chance the Fortigate is looking for IKEv2 by default, and Meraki is only capable of IKEv1.

 

Are the two locations separate sites / clients?

 

This is likely to a difference in the encryption handling. Something like AES is showing but its 128 on one side and 256 on the other.

Netwow
Building a reputation

After spending time with Fortigate and Meraki today we were able to achieve tunnel connectivity. There were multiple issues so I thought it would be a good idea to post them in case anyone else ever comes across this same issue. 

 

First, when establishing a tunnel to a non-Fortigate vpn peer, object groups/names are advised against. Using the subnet is the way to go . 

 

Second, Fortigate side had to turn off Nat Traversal (I found this odd but it worked)

 

Third, MTU had to be adjusted due to the Fortigate sending Jumbo frames. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels