cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

firewall ACL and VPN setup question

Jump to solution

We are using a McAfee Firewall Enterprise Admin Console for our firewall and Fortinet's Fortigate 60D for our VPN device.

I'm trying to get some Chromebooks to connect.  I've added an Access Control Rule that I thought would allow the external to internal access to the VPN.  Yet I'm not seeing anything on the forigate's logs showing that the Chrombook is attempting to connect to it.  So to me i'd think its being stopped at the firewall.

On the Firewall under Audit Viewing - VPN - I'm seeing an [error] AGGRESSIVE_MODE exchange processing failed [error] Received exchange type (AGGRESSIVE_MODE)|not supported by policy, packet dropped.

I want to point out that we have two VPN Definitions for a remote site.  These two settings use Main ID as the IKE v1 exchange type.  So to me it would appear as if the Chromebook is using the VPN Definitions instead of the Access Control Rule i had setup for it.

Any ideas?

1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6

Re: firewall ACL and VPN setup question

Jump to solution

You need a second external IP address on the firewall (an alias address) to pass VPN traffic through the firewall while VPN traffic to the firewall will use the original IP address.  Then, you create a rule that has ESP-protocol 50 and UDP 500/4500 as the Applications, set the Destination of the rule to be an IP address object for the alias address on the firewall and then set a Redirect to the IP address of your Fortigate device.  Put this rule above your ISAKMP Server rule.

5 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6

Re: firewall ACL and VPN setup question

Jump to solution

You need a second external IP address on the firewall (an alias address) to pass VPN traffic through the firewall while VPN traffic to the firewall will use the original IP address.  Then, you create a rule that has ESP-protocol 50 and UDP 500/4500 as the Applications, set the Destination of the rule to be an IP address object for the alias address on the firewall and then set a Redirect to the IP address of your Fortigate device.  Put this rule above your ISAKMP Server rule.

Re: firewall ACL and VPN setup question

Jump to solution

I believe what you're referring to for a 2nd external ip address we already have implemented.  We already have an external ip address setup that the firewall forwards to the fortigate device.  I just want to verify that i don't in fact need another external ip address pointing to the same device again.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 6

Re: firewall ACL and VPN setup question

Jump to solution

You need one IP address for VPNs TO the firewall and a different IP address for VPNs THROUGH the firewall.  The Access Control Rule for VPNs through the firewall must be above the ISAKMP Server rule (which is for VPNs to the firewall).

PhilM
Level 14
Report Inappropriate Content
Message 5 of 6

Re: firewall ACL and VPN setup question

Jump to solution

What sliedl is saying is correct.

So if it isn't working as expected, check to make sure the existing rule for the site to site VPN service is explicitly referencing the Firewall's primary IP address. If the destination is set to "Any" or "Any IPv4", the isakmp service will be listening on all configured external IP addresses and if this rule is sitting above the rule you have created for your Fortinet VPN device it will be intercepting these connections and trying to process them as if they are also site-to-site VPN connections.

-Phil.

Re: firewall ACL and VPN setup question

Jump to solution

Thanks for the help guys... I triple checked my settings and then it caught me.  I didn't have the Redirect setting set... Once I put the redirect destination it worked flawlessly

~Jeremy

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.