Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

VPN Agressive mode - Router Cisco x Fortigate

Alan David Sulino Brito
Level 1
Level 1

‎01-22-2016 10:24 AM

Hi,
We are currently trying to establish a site to site VPN with a branch. The branch is using a Cisco router 2911. He sent us the configuration parameters which we configured, but the VPN tunnel is still not coming up. I think the phase 1 is ok, the problem is with phase2.
 
[Cisco Router] {Dynamic IP} ---------> (Internet) --------->{Static IP} [Fortigate Amazon]
+ Fortigate: HUB
+ Cisco Router: SPOKE
 
Fortigate Config
config vpn ipsec phase1-interface
    edit "HUB"
        set type dynamic
        set interface "port1"
        set dhgrp 2
        set mode aggressive
        set peertype one
        set proposal aes256-sha1
        set peerid "hub"
        set psksecret ***
    next
end
config vpn ipsec phase2-interface
    edit "VPN"
        set keepalive enable
        set phase1name "HUB"
        set proposal 3des-sha1
        set dhgrp 2
        set keylifeseconds 3600
    next
end
config router static
    edit 1
        set device "HUB"
        set dst 10.21.50.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set srcintf "HUB"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "port1"
        set dstintf "HUB"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end


Router 2911 config
crypto keyring KEYR1
  pre-shared-key address 1.1.1.1 key ***
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 5
crypto isakmp profile R2_ISAKMP_PROF
   keyring KEYR1
   self-identity user-fqdn hub
   match identity address 1.1.1.1 255.255.255.255
   initiate mode aggressive
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile R2_VTI
 set transform-set ESP-3DES-SHA
 set pfs group2
 set isakmp-profile R2_ISAKMP_PROF
interface Tunnel3
 no ip address
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile R2_VTI
!
ip route 172.0.1.0 255.255.255.0 Tunnel3
 
 
Logs Fortigate
ike 0:HUB: cached as dynamic 'hub'
ike 0: cache rebuild done
ike 0: IKEv1 Aggressive, comes 201.91.58.58:500->172.0.1.100 3, peer-id=hub
ike 0:f58d54ee1e06c362/0000000000000000:2638: negotiation result
ike 0:f58d54ee1e06c362/0000000000000000:2638: proposal id = 1:
ike 0:f58d54ee1e06c362/0000000000000000:2638:   protocol id = ISAKMP:
ike 0:f58d54ee1e06c362/0000000000000000:2638:      trans_id = KEY_IKE.
ike 0:f58d54ee1e06c362/0000000000000000:2638:      encapsulation = IKE/none
ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_GROUP, val=1024.
ike 0:f58d54ee1e06c362/0000000000000000:2638: ISAKMP SA lifetime=28800
ike 0:f58d54ee1e06c362/0000000000000000:2638: SA proposal chosen, matched gateway HUB
ike 0:HUB:2638: DPD negotiated
ike 0:HUB:2638: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 0:HUB:2638: selected NAT-T version: RFC 3947
ike 0:HUB:2638: cookie f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 key 32:19C76885A298F7401E37786E14A170A990858529EA282D4475EC73BD20BD33F9
ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86
ike 0:HUB:2638: sent IKE msg (agg_r1send): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86
ike 0:HUB:2638: sent IKE msg (P1_RETRANSMIT): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=f58d54ee1e06c362/6b13e0e54ab27d49 len=140
ike 0: in F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C637FE1155BA6DFDCC582F771715C7D9588AF4B6D0CE1DE97523351576A418A46E0ED65AC5E426DAFC1F9FDD84069A51BAF4DC3B70AF5A03A4DEEA11BCF872AEBF4C9B6ADB642C0AAB9C0EDE181467C496828DBD4F040E6F2D6F89E0A18136F08CACC89082F59A9CCBAE70F483E1D03E1
ike 0:HUB:2638: responder: aggressive mode get 2nd response...
ike 0:HUB:2638: dec F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C140000182C26EB5991002A24F17EF55CB9F5197796BC8F2B14000018F1977B1078CC25FD607CFA88C2181AD6CD3654780B000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50000001C0000000101106002F58D54EE1E06C3626B13E0E54AB27D49000000000000000000000000
ike 0:HUB:2638: received NAT-D payload type 20
ike 0:HUB:2638: received NAT-D payload type 20
ike 0:HUB:2638: received notify type 24578
ike 0:HUB:2638: PSK authentication succeeded
ike 0:HUB:2638: authentication OK
ike 0:HUB:2638: NAT detected: ME
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316
ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED
ike 0:HUB:2638: can not start the quick mode 00000000, waiting to establish ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: remote port change 500 -> 4500
ike 0:HUB:2638: established IKE SA f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB: adding new dynamic tunnel for 201.91.58.58:4500
ike 0:HUB_0: added new dynamic tunnel for 201.91.58.58:4500
ike 0:HUB_0:2638: processing INITIAL-CONTACT
ike 0:HUB_0: flushing
ike 0:HUB_0: flushed
ike 0:HUB_0:2638: processed INITIAL-CONTACT
ike 0:HUB_0:2638: no pending Quick-Mode negotiations
ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=1
ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 1
ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005015E5A6479000000540B0000188287A6048F4AF1657D56B33040E778BF7FBEF234000000200000000101108D28F58D54EE1E06C3626B13E0E54AB27D4900000001
ike 0:HUB_0:2638: out F58D54EE1E06C3626B13E0E54AB27D49081005015E5A64790000005C607AFA57FFD6F456BAB5BB621DD11556CA5249327606B989396148BB3E8BD25CA7713C0F2E7F0B136FABD5285D56C3BD925A2D71F49F4589F43B703D15581101
ike 0:HUB_0:2638: sent IKE msg (R-U-THERE): 172.0.1.100:4500->201.91.58.58:4500, len=92, id=f58d54ee1e06c362/6b13e0e54ab27d49:5e5a6479
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=f58d54ee1e06c362/6b13e0e54ab27d49:0ea3fd83 len=92
ike 0: in F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C26CE06723802F1D9FFFC24CF50230BEEB6EF01BC5FA0798437A0B8AD3C840039424E99BF9A15B36E9BFE71AF11DE05D0B8EE623578F65BF5E1156316351809EB
ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C0B00001887EA8771C873A6C9870C973B9D778E6B0A6D46A4000000200000000101108D29F58D54EE1E06C3626B13E0E54AB27D49000000010000000000000000
ike 0:HUB_0:2638: notify msg received: R-U-THERE-ACK
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316
ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED
ike 0:HUB_0:2638:2704: responder received first quick-mode message
ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C010000182C9DC576C496F47C219F5BBC359FC43B24BEFE250A000040000000010000000100000034010304015BBDE2740000002801030000800400038001000180020708800100020002000400465000800500028003000204000018651F2C23552FBCC9C9607C5B6BBB5178679DF42C050000845B44B28DACB93787F0A0B711E915932931991E8DD638B0D43875D87874FB1C54E0BBEE47B01E259B07224EFC36F1EEA1FD1E7FBB45836E4518E9122D1E84BC38E7AFEB077F06D1B1B3B6F2BE0FEF7DFFC13545DB63E584C31715F17980B7B40823CD92150D7115DE8BFDFC4CBC14194CBF1AF4122A8147ED2A5238808EEA0E6B0500001004000000000000000000000000000010040000000000000000000000000000000000000000000000
ike 0:HUB_0:2638:2704: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:HUB_0:2638:VPN:2704: trying
ike 0:HUB_0:2638:2704: wildcard is not an acceptable destination subnet
ike 0:HUB_0:2638:2704: no matching phase2 found
ike 0:HUB_0:2638:2704: failed to get responder proposal
ike 0:HUB_0:2638: error processing quick-mode message from 201.91.58.58 as responder
ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=2
ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 2
ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005014CB3D819000000540B00
 
 
Can you help me please?
Thanks

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic