Hi all
Im trying to install a site to site IPsec between 2 different routers (Cisco 3750 & Fortigate 100A) (R1 & Fortigate100A)
with out installing IPsec, the whole scenario is working properly.
But unfortunately the IPsec tunnel (between R1 & Fortigate100A) is not functioning properly.
(Pls look at to the jpg attached file)
The log message is received in routers are displayed below:
Cisco: R1:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 192.168.43.75
Fortigate 100A:
ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie d3695c6cea17475a/d18e1af773e658b9, drop |
ike 0:Cisco-P1:6899: authentication OK |
ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie 414bd35ab92bc4ef/d18e1af78ed17bf9, drop |
ike 0:Cisco-P1:6899:Cisco-P2:14802: quick-mode negotiation failed due to retry timeout | ike 0:Cisco-P1:6900: authentication OK |
|
I have configured both routers as follow:
Cisco:
Hostname:R1
isakmp Policy 1
Hash: sha
Authentication: pre-share
Encryption: AES128
DH group:2
Lifetime 86400
isakmp Key: cisco1 address 192.168.43.75
crypto IPsec transform-set myset esp-aes & esp-sha-hmac
Access-list:101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
Crypto map R1_to_Fortigate100A 10 IPsec-Isakmp
set Peer:192.168.43.75
Match address 101
Set transformset: myset
int fa 0/0 # Crypto map R1_to_Fortigate100A
Fortigate:
hostname: Fortigate100A
Phase1:
Preshared key: cisco1
Remote gateway ip address: 192.168.43.195
mode: agressive
Accept any peer
P1 Proposal:
AES 128/ SHA1
AES 192/ SHA1
AES192/SHA 256
DH: 2
Keylife: 86400
Phase2:
AES 128/ SHA1
AES 192/ SHA1
AES192/SHA 256
keylife:86400
Quick mode selector:
Source address: 10.10.10.0/24
Destination address: 192.168.43.0/24
I will be very very very thankful if you informed about my any possible mistakes an its solution
Happy new year
Moe
