11-06-2011 01:42 PM
I'm trying to set up a site-to-site vpn but after many different configuration changes I have concluded that it does not work.
I think the problem is related with a RV120W mal functioning or may be it cannot understand well with the Fortigate.
I have many other site-to-site vpn in this Fortigate with other firewalls and all of then work fine. But with the Cisco RV120W I can not achieve it.
I always have the same error inside the log.
In the Cisco RV120W
2011-11-06 22:31:58: [rv120w][IKE] INFO: [rv120w][IKE] INFO: accept a request to establish IKE-SA: REMOTE_WAN_IP
2011-11-06 22:31:58: [rv120w][IKE] INFO: Configuration found for REMOTE_WAN_IP.
2011-11-06 22:31:58: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: LOCAL_WAN_IP[500]<=>REMOTE_WAN_IP[500]
2011-11-06 22:31:58: [rv120w][IKE] INFO: Beginning Identity Protection mode.
2011-11-06 22:31:58: [rv120w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2011-11-06 22:31:58: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2011-11-06 22:31:58: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2011-11-06 22:31:58: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2011-11-06 22:32:29: [rv120w][IKE] ERROR: Invalid SA protocol type: 0
2011-11-06 22:32:29: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2011-11-06 22:32:58: [rv120w][IKE] ERROR: Phase 1 negotiation failed due to time up for REMOTE_WAN_IP[500]. 548ab978ab367208:0000000000000000
In the Fortigate log:
1 2011-11-06 22:03:26 notice negotiate Responder: parsed (w.x.y.z) main mode message #1 (ERROR)
2 2011-11-06 22:03:26 error negotiate Negotiate SA Error: Peer's SA proposal does not match local policy.
I would appreciate any help.
Thanks a lot.
This is the main RV120W configuration I have trying.
RV 120W Version Firmware: 1.0.2.6
Fortigate 100A Version Firmware: 3.0 MR6
IKE Policy Table
Policy Name: PolicyName-1
Direction / Type: Both
Exchange Mode: Main
Local
Identifier Type: FQDN
Identifier: xxx.domain.com
Remote
Identifier Type: Remote WAN (Internet) IP
Identifier: -
IKE SA Parameters
Encryption Algorithm: 3DES
Auth. Algorithm: SHA-1
Authentication Method: Pre-Shared Key
Pre-Shared Key: xxxxxxxxxxxxxx
Diffie-Hellman Group: Group2 (1024 bit)
SA-Lifetime: 28800 Seconds
Dead Peer Detection: Disabled
Extended Authentication
XAUTH Type: None
VPN Policy Table
Policy Name: PolicyName-1
Policy Type: Auto Policy
Remote Endpoint: IP Address
a.b.c.d
NETBIOS: Enabled
Local Traffic Selection
Local IP: Subnet
Start Address: 192.168.16.0
Subnet Mask: 255.255.255.0
Remote Traffic Selection
Remote IP: Subnet
Start Address: 192.168.0.0
Subnet Mask: 255.255.255.0
Split DNS No
Auto Policy Parameters
SA-Lifetime: 3600 Seconds
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
PFS Key Group: Enable
DH-Group 2 (1024 bit)
Select IKE Policy: PolicyName-1
11-07-2011 01:14 PM
Hi Victor,
Thank you for posting. Make sure that the IKE and VPN policy settings match exactly in both routers. You may also need to change the Exchange Mode to Aggressive instead of Main. Try experimenting with different Encryption Algorithms and Auth. Algorithms. I recently had some issues connecting an RV220W to a WRV210 and after I changed the Encryption Algorithm to AES-192 and the Auth. Algorithm to SHA-1 the tunnel connected and functioned properly.
11-09-2011 04:59 AM
I have tested every sigle combination between
- Encryption
- Authentication
- DH Group
matching the same configuration in the other site in agressive mode but I always have the same error.
Does "vendorid" involve a restricted interoperable list of ipsec capable devices?
Thanks a lot.
11-09-2011 11:42 AM
Hi Victor,
I don't think that the devices are restricted from connecting to any other device from any other vendor but I have seen some customers that were unable to ever establish a connection between a Small Business router and a third party device. We cannot guarantee that the device will work reliably with a third party device but in most cases they connect fine.
12-30-2011 08:24 PM
Hi Victor,
Could you finally make it work? I´m trying with two identical 120W routers and I am having the same error.
Thanks,
Jaime
01-01-2012 12:42 PM
Hi,
No yet. I have to update the firmware version in the Fortinet and try again.
But until now, I have solved the problem using two identical 120W. It worked perfectly. I created a symmetrical configuration except for the right remote IP peers.
01-01-2012 01:05 PM
Victor,
I've found this error could be caused by reachability issues. Double check if the devices are fully capable of reaching all needed destination ports. At this moment, I still have issues with the pair of rv120. Few quick questions:
- the origin and destination addresses suggested for the software are inverted, aren't they?
- have you used main mode and made it work?
- I'm having a phase 1 issue related to hashing, any related experiences?
Thank you in advance,
Jaime
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide