I was recently turning up a VPN with a new outside party and have been running into some issues (as you do). The tunnel would not come up on phase 2 between Cisco IOS and a Fortigate device. I didn't have PFS configured on my side, but it was configured on the remote side. My fault, whatever. However, this is the weirdness starts.
They could initiate a ping and successfully ping a device (echo, echo reply) on my network, but I could not initiate phase 2 and send any traffic from the same interface on the same device. I would only get "send errors" on my phase 2 SA. This is with PFS enabled on their side, but not enabled on mine, which I would expect given the way it was configured. I verified they sent ping packets from their side to ours and saw the encaps and decaps on that specific SA.
Why is this?? What kind of black magic mess am I dealing with here?
No comments:
Post a Comment