cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jjensen86
jjensen86
Level 7
Report Inappropriate Content
Message 1 of 6
‎09-08-2015 09:34 AM

firewall ACL and VPN setup question

Jump to solution

We are using a McAfee Firewall Enterprise Admin Console for our firewall and Fortinet's Fortigate 60D for our VPN device.

I'm trying to get some Chromebooks to connect.  I've added an Access Control Rule that I thought would allow the external to internal access to the VPN.  Yet I'm not seeing anything on the forigate's logs showing that the Chrombook is attempting to connect to it.  So to me i'd think its being stopped at the firewall.

On the Firewall under Audit Viewing - VPN - I'm seeing an [error] AGGRESSIVE_MODE exchange processing failed [error] Received exchange type (AGGRESSIVE_MODE)|not supported by policy, packet dropped.

I want to point out that we have two VPN Definitions for a remote site.  These two settings use Main ID as the IKE v1 exchange type.  So to me it would appear as if the Chromebook is using the VPN Definitions instead of the Access Control Rule i had setup for it.

Any ideas?

0 Kudos
Reply
1 Solution

Accepted Solutions
sliedl
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6
‎09-08-2015 12:38 PM

Re: firewall ACL and VPN setup question

Jump to solution

You need a second external IP address on the firewall (an alias address) to pass VPN traffic through the firewall while VPN traffic to the firewall will use the original IP address.  Then, you create a rule that has ESP-protocol 50 and UDP 500/4500 as the Applications, set the Destination of the rule to be an IP address object for the alias address on the firewall and then set a Redirect to the IP address of your Fortigate device.  Put this rule above your ISAKMP Server rule.

Reply
5 Replies
sliedl
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6
‎09-08-2015 12:38 PM

Re: firewall ACL and VPN setup question

Jump to solution

You need a second external IP address on the firewall (an alias address) to pass VPN traffic through the firewall while VPN traffic to the firewall will use the original IP address.  Then, you create a rule that has ESP-protocol 50 and UDP 500/4500 as the Applications, set the Destination of the rule to be an IP address object for the alias address on the firewall and then set a Redirect to the IP address of your Fortigate device.  Put this rule above your ISAKMP Server rule.

Reply
jjensen86
jjensen86
Level 7
Report Inappropriate Content
Message 3 of 6
‎09-11-2015 06:46 AM

Re: firewall ACL and VPN setup question

Jump to solution

I believe what you're referring to for a 2nd external ip address we already have implemented.  We already have an external ip address setup that the firewall forwards to the fortigate device.  I just want to verify that i don't in fact need another external ip address pointing to the same device again.

0 Kudos
Reply
sliedl
sliedl
Level 14
Report Inappropriate Content
Message 4 of 6
‎09-11-2015 10:56 AM

Re: firewall ACL and VPN setup question

Jump to solution

You need one IP address for VPNs TO the firewall and a different IP address for VPNs THROUGH the firewall.  The Access Control Rule for VPNs through the firewall must be above the ISAKMP Server rule (which is for VPNs to the firewall).

0 Kudos
Reply
PhilM
PhilM
Level 14
Report Inappropriate Content
Message 5 of 6
‎09-13-2015 03:29 AM

Re: firewall ACL and VPN setup question

Jump to solution

What sliedl is saying is correct.

So if it isn't working as expected, check to make sure the existing rule for the site to site VPN service is explicitly referencing the Firewall's primary IP address. If the destination is set to "Any" or "Any IPv4", the isakmp service will be listening on all configured external IP addresses and if this rule is sitting above the rule you have created for your Fortinet VPN device it will be intercepting these connections and trying to process them as if they are also site-to-site VPN connections.

-Phil.

0 Kudos
Reply
Highlighted
jjensen86
jjensen86
Level 7
Report Inappropriate Content
Message 6 of 6
‎09-14-2015 08:14 AM

Re: firewall ACL and VPN setup question

Jump to solution

Thanks for the help guys... I triple checked my settings and then it caught me.  I didn't have the Redirect setting set... Once I put the redirect destination it worked flawlessly

~Jeremy

Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC