5 Replies Latest reply on Sep 14, 2015 10:14 AM by jjensen86

    firewall ACL and VPN setup question


      We are using a McAfee Firewall Enterprise Admin Console for our firewall and Fortinet's Fortigate 60D for our VPN device.


      I'm trying to get some Chromebooks to connect.  I've added an Access Control Rule that I thought would allow the external to internal access to the VPN.  Yet I'm not seeing anything on the forigate's logs showing that the Chrombook is attempting to connect to it.  So to me i'd think its being stopped at the firewall.


      On the Firewall under Audit Viewing - VPN - I'm seeing an [error] AGGRESSIVE_MODE exchange processing failed [error] Received exchange type (AGGRESSIVE_MODE)|not supported by policy, packet dropped.


      I want to point out that we have two VPN Definitions for a remote site.  These two settings use Main ID as the IKE v1 exchange type.  So to me it would appear as if the Chromebook is using the VPN Definitions instead of the Access Control Rule i had setup for it.


      Any ideas?

        • 1. Re: firewall ACL and VPN setup question

          You need a second external IP address on the firewall (an alias address) to pass VPN traffic through the firewall while VPN traffic to the firewall will use the original IP address.  Then, you create a rule that has ESP-protocol 50 and UDP 500/4500 as the Applications, set the Destination of the rule to be an IP address object for the alias address on the firewall and then set a Redirect to the IP address of your Fortigate device.  Put this rule above your ISAKMP Server rule.

          • 2. Re: firewall ACL and VPN setup question

            I believe what you're referring to for a 2nd external ip address we already have implemented.  We already have an external ip address setup that the firewall forwards to the fortigate device.  I just want to verify that i don't in fact need another external ip address pointing to the same device again.

            • 3. Re: firewall ACL and VPN setup question

              You need one IP address for VPNs TO the firewall and a different IP address for VPNs THROUGH the firewall.  The Access Control Rule for VPNs through the firewall must be above the ISAKMP Server rule (which is for VPNs to the firewall).

              • 4. Re: firewall ACL and VPN setup question

                What sliedl is saying is correct.


                So if it isn't working as expected, check to make sure the existing rule for the site to site VPN service is explicitly referencing the Firewall's primary IP address. If the destination is set to "Any" or "Any IPv4", the isakmp service will be listening on all configured external IP addresses and if this rule is sitting above the rule you have created for your Fortinet VPN device it will be intercepting these connections and trying to process them as if they are also site-to-site VPN connections.



                • 5. Re: firewall ACL and VPN setup question

                  Thanks for the help guys... I triple checked my settings and then it caught me.  I didn't have the Redirect setting set... Once I put the redirect destination it worked flawlessly