Cisco ASA to Fortigate VPN (Properly!)
KB ID 0001721 Problem A while ago I did a run through on site to site VPNs from Cisco ASA to Fortigate firewalls. Back then I said that the default settings were a bit ‘shoddy’ and that I’d revisit it once I had more time. What do you mean shoddy? Well, Cisco and Fortinet are both guilty of enabling ‘Everything’ to make the tunnel come up, so people can just use a wizard and not put to much thought into...
Cisco ASA: Received a DELETE PFKey message from IKE
KB ID 0001720 Problem I was debugging a VPN tunnel today. (From a Fortigate to a Cisco ASAv). I was messing around with the encryption and hashing, when the tunnel fell over. Phase 1 was establishing fine but not Phase 2 (IPSEC). I’ve got better skills on the ASA, so that’s where I was debugging; IPSEC: Received a PFKey message from IKE IPSEC: Parsing PFKey GETSPI message IPSEC: Creating IPsec SA IPSEC: Getting the...
AnyConnect Error: Unable To Verify IP Forwarding Table Modifications
KB ID 0001646 Problem While attempting to connect to a clients AnyConnect, this happened; The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established. Or on older clients, you may see; The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again. Solution I was trying to...
PDF File: Remove Password Protection
KB ID 0001719 Problem My daughter had a file that was protected by a password, (it had sensitive personal information in it). She wanted to send this file to someone, but wanted to remove the password protection first. I thought this would be easy, open it in Acrobat Reader, find the bit that says ‘password protect’ and untick it right? Well to enable that ‘feature’ (called the “protect feature”),...
Fortigate: Cannot Ping an Interface?
KB ID 0001718 Problem With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to’. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it....
Fortigate to Cisco ASA Site to Site VPN
KB ID 0001717 Problem Continuing with my ‘Learn some Fortigate’ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so; Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like; Disclaimer (Read First!...
Fortigate: One to One (Static NAT)
KB ID 0001716 Problem If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!) I’m setting this up in EVE-NG on the work bench...
VMware Fusion: Not Enough Physical Memory
KB ID 0001715 Problem I upgraded to macOS Big Sur this week, and was surprised everything still worked! That was until I tried to start up my Windows 1o Virtual machine. “Not enough physical memory is available to power on this virtual machine with its configured settings.” Solution Though it took me a while to ‘fix’, the fix is quite straight forward, I was running version 11 (see Below). As soon as I upgraded...
Running Dropbox On Windows Server
KB ID 0001489 Problem If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually). I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to...
EVE-NG Deploying Fortigate v6 Firewalls
KB ID 0001714 Problem The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about. So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate...