01-01-2013 05:18 AM - edited 03-04-2019 06:32 PM
Hi all
Im trying to install a site to site IPsec between 2 different routers (Cisco 3750 & Fortigate 100A) (R1 & Fortigate100A)
with out installing IPsec, the whole scenario is working properly.
But unfortunately the IPsec tunnel (between R1 & Fortigate100A) is not functioning properly.
(Pls look at to the jpg attached file)
The log message is received in routers are displayed below:
Cisco: R1:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 192.168.43.75
Fortigate 100A:
ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie d3695c6cea17475a/d18e1af773e658b9, drop | ||
ike 0:Cisco-P1:6899: authentication OK | ||
ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie 414bd35ab92bc4ef/d18e1af78ed17bf9, drop | ||
|
I have configured both routers as follow:
Cisco:
Hostname:R1
isakmp Policy 1
Hash: sha
Authentication: pre-share
Encryption: AES128
DH group:2
Lifetime 86400
isakmp Key: cisco1 address 192.168.43.75
crypto IPsec transform-set myset esp-aes & esp-sha-hmac
Access-list:101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
Crypto map R1_to_Fortigate100A 10 IPsec-Isakmp
set Peer:192.168.43.75
Match address 101
Set transformset: myset
int fa 0/0 # Crypto map R1_to_Fortigate100A
Fortigate:
hostname: Fortigate100A
Phase1:
Preshared key: cisco1
Remote gateway ip address: 192.168.43.195
mode: agressive
Accept any peer
P1 Proposal:
AES 128/ SHA1
AES 192/ SHA1
AES192/SHA 256
DH: 2
Keylife: 86400
Phase2:
AES 128/ SHA1
AES 192/ SHA1
AES192/SHA 256
keylife:86400
Quick mode selector:
Source address: 10.10.10.0/24
Destination address: 192.168.43.0/24
I will be very very very thankful if you informed about my any possible mistakes an its solution
Happy new year
Moe
Solved! Go to Solution.
01-01-2013 06:13 AM
Been awhile since I messed with a fortigate but I would first try changing the phase 2 remote address to 10.0.0,0/24. If that is the "interesting traffic" statement, it doesn't match what you have on the Cisco. After that, try changing the phase 1 Ike mode to something other than "aggressive".
Sent from Cisco Technical Support iPad App
01-01-2013 11:17 PM
without NAT how can you ping your peer.. ?
check generic comfiguration of the IPsec site to site VPN
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10
// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY local-address <<
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101
interface <<
crypto map YYYY
access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255
Extended IP access list 100 (NAT Access list)
deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11
deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22
permit ip any any
Please rate this if helpful
01-02-2013 03:23 AM
good as per configuration phase 1 & 2 should b up
ip route 0.0.0.0 0.0.0.0 192.168.43.75 is wrong bcoz u set ur peer as 192.168.43.75
ip route means suppose your public ip is 192.168.11.1 then u have to set
ip route 0.0.0.0 0.0.0.0 192.168.11.2 means 192.168.11.2 is your isp end.
second
as per your configuration interface FastEthernet0/0 for wan right ?
access-list 101 permit ip 10.0.0.0 0.0.0.255 host
after then configure NAT
access list 100 permit ip any any
access list 100 deny ip 10.0.0.0 0.0.0.255 host
int fa0/0 (wan interface)
ip nat outside
int fa0/1 (local interface)
ip nat inside
01-01-2013 06:13 AM
Been awhile since I messed with a fortigate but I would first try changing the phase 2 remote address to 10.0.0,0/24. If that is the "interesting traffic" statement, it doesn't match what you have on the Cisco. After that, try changing the phase 1 Ike mode to something other than "aggressive".
Sent from Cisco Technical Support iPad App
01-01-2013 09:11 PM
Tnx for your prompt reply Jeff.
I changed the phase 2 remote address to the 10.0.0.0/24, as u mentioned, and changed the phase 1 IKE from agressive to the main mode as well, but still is not functioning.
the result of "show crypto session" command in the cisco router is appeared as follow:
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 192.168.43.75 port 500
IKE SA: local 192.168.43.195/500 remote 192.168.43.75/500 Active
IKE SA: local 192.168.43.195/500 remote 192.168.43.75/500 Inactive
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
what whould u suggest me to do to troubleshoot this scenario?
Tnx
01-01-2013 10:07 PM
dear mohammad
can u share your NAT configuration. you have deny 192.168.43.195/500 remote 192.168.43.75/500 from you NAT ACL. as per your above configuration phase 1 &2 is correct that y only tunnel status showing up. problem with access list bcoz your packet is nt traveling via tunnel properly so try to push in tunnel.
check and share #sh cry ipsec sa peer 192.168.43.75
01-01-2013 11:05 PM
Dear Hardik
There is not any configured NAT in the Cisco router or Fortigate Firewall and the only access list is defined on the cisco R1 is 101 access list, which is:
Access-list:101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
the result of the command u mentioned is:
R1#sh crypto ipsec sa peer 192.168.43.75
interface: FastEthernet0/0
Crypto map tag: R1_to_Fortigate100A, local addr 192.168.43.195
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 192.168.43.75 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 220, #pkts encrypt: 220, #pkts digest: 220
#pkts decaps: 208, #pkts decrypt: 208, #pkts verify: 208
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 2
local crypto endpt.: 192.168.43.195, remote crypto endpt.: 192.168.43.75
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x1165BD35(291880245)
inbound esp sas:
spi: 0xB9A26944(3114428740)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: R1_to_Fortigate100A
sa timing: remaining key lifetime (k/sec): (4448927/1337)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1165BD35(291880245)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: R1_to_Fortigate100A
sa timing: remaining key lifetime (k/sec): (4448926/1333)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
01-01-2013 11:17 PM
without NAT how can you ping your peer.. ?
check generic comfiguration of the IPsec site to site VPN
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10
// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY local-address <<
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101
interface <<
crypto map YYYY
access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255
Extended IP access list 100 (NAT Access list)
deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11
deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22
permit ip any any
Please rate this if helpful
01-02-2013 01:05 AM
Thank you all for your replies
We got another problem now.
The tunnel would be up and active IF the first packet is sent from the Fortigate firewall not Cisco router, otherwise, the tunnel won’t be up. in othre words, the first packet must be sent to the tunnel from the network, which is behind the Fortigate to make the tunnel active.
What could be the possible problem?
01-02-2013 01:41 AM
Dear Mohammad,
see you said your tunnel is up. that means your phase 1 & 2 parameter match with your peer that y tunnel is up. but packet wil nt travel inside the tunnel it will travel over Internet that means something missing in routing or NAT.
show tracert in one system and check
can u share some configuration here after that i will give u some solution
Please rate this if helpful
01-02-2013 02:37 AM
Dear Hardik,
the configuration of the Fortigate Firewall is inserted as 2 jpg files and the running configuratiin of the Cisco Router has been pasted as follow:
R1#sh run
Building configuration...
Current configuration : 1286 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
no aaa new-model
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco1 address 192.168.43.75
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto map R1_to_Fortigate100A 10 ipsec-isakmp
set peer 192.168.43.75
set transform-set myset
match address 101
interface FastEthernet0/0
ip address 192.168.43.195 255.255.255.0
duplex auto
speed auto
crypto map R1_to_Fortigate100A
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.43.75
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
line con 0
logging synchronous
line aux 0
line vty 0 4
end
R1#
01-02-2013 03:23 AM
good as per configuration phase 1 & 2 should b up
ip route 0.0.0.0 0.0.0.0 192.168.43.75 is wrong bcoz u set ur peer as 192.168.43.75
ip route means suppose your public ip is 192.168.11.1 then u have to set
ip route 0.0.0.0 0.0.0.0 192.168.11.2 means 192.168.11.2 is your isp end.
second
as per your configuration interface FastEthernet0/0 for wan right ?
access-list 101 permit ip 10.0.0.0 0.0.0.255 host
after then configure NAT
access list 100 permit ip any any
access list 100 deny ip 10.0.0.0 0.0.0.255 host
int fa0/0 (wan interface)
ip nat outside
int fa0/1 (local interface)
ip nat inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide