I'm in the process of attempting to set up an IPSec tunnel between two LAN's.
Here's an ASCII diagram (IP's changed):
(Public IP1: 220.127.116.11)
|/| <-IPSec Tunnel
(Public IP2: 18.104.22.168)
I've configured both firewalls according to their respective manuals. This has been tricky because both vendors have varied terminology and default settings. There are also some minor variations in what extra options you have at each end.
I've added rules to both firewalls to allow traffic to pass both directions between the LAN and the IPSec interface and I've added routes to both firewalls to direct traffic intended for the remote LAN over the IPSec interface.
Here's a rough list of settings:
Authentication: Pre-shared key
IKE Encryption/Auth proposals: AES256/SHA1
IKE Life Time: 28800 sec
IKE Mode: Main, DH Group 2
IPSec Encryption/Auth proposals: AES256/SHA1
IPSec Life Time: 3600 sec/5120 KB
Perfect Forward Secrecy: Enabled, DH Group 5
Keep-alive: On (sends pings regularly to keep the tunnel up)
At the moment, I can see the 2 active IKE security authorities (SA's) coming up.
The IPSec tunnel however isn't coming up. The errors I'm getting from the D-Link box are:
2009-07-31 14:42:49 Warning IPSEC 1803020 ipsec_sa_failed no_ipsec_sa statusmsg="Timeout" 2009-07-31 14:42:49 Warning IPSEC 1800109 ike_quickmode_failed local_ip=22.214.171.124 remote_ip=126.96.36.199 cookies=<HEX String Edited Out> reason="Timeout"
Fortigate Errors attached (remove .txt extension).
So the errors look like something to do with IKE, "Quick Mode" failing, but I don't know much else. Any help or suggestions would be highly appreciated.