Solved: IPsec tunnel issue (between Cisco & Fortigate)

m_sadeghpour · ‎01-01-2013

Hi all

Im trying to install a site to site IPsec between 2 different routers (Cisco 3750 & Fortigate 100A) (R1 & Fortigate100A)

with out installing IPsec, the whole scenario is working properly.

But unfortunately the IPsec tunnel (between R1 & Fortigate100A) is not functioning properly.

(Pls look at to the jpg attached file)

The log message is received in routers are displayed below:

Cisco: R1:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 192.168.43.75

Fortigate 100A:

ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie d3695c6cea17475a/d18e1af773e658b9, drop

ike 0:Cisco-P1:6899: authentication OK

ike 0: no established IKE SA for exchange-type Informational from 192.168.43.195:500->192.168.43.75 3 cookie 414bd35ab92bc4ef/d18e1af78ed17bf9, drop

ike 0:Cisco-P1:6899:Cisco-P2:14802: quick-mode negotiation failed due to retry timeout

ike 0:Cisco-P1:6900: authentication OK

I have configured both routers as follow:

Cisco:

Hostname:R1

isakmp Policy 1

Hash: sha

Authentication: pre-share

Encryption: AES128

DH group:2

Lifetime 86400

isakmp Key: cisco1 address 192.168.43.75

crypto IPsec transform-set myset esp-aes & esp-sha-hmac

Access-list:101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

Crypto map R1_to_Fortigate100A 10 IPsec-Isakmp

set Peer:192.168.43.75

Match address 101

Set transformset: myset

int fa 0/0 # Crypto map R1_to_Fortigate100A

Fortigate:

hostname: Fortigate100A

Phase1:

Preshared key: cisco1

Remote gateway ip address: 192.168.43.195

mode: agressive

Accept any peer

P1 Proposal:

AES 128/ SHA1

AES 192/ SHA1

AES192/SHA 256

DH: 2

Keylife: 86400

Phase2:

AES 128/ SHA1

AES 192/ SHA1

AES192/SHA 256

keylife:86400

Quick mode selector:

Source address: 10.10.10.0/24

Destination address: 192.168.43.0/24

I will be very very very thankful if you informed about my any possible mistakes an its solution

Happy new year

Moe

Jeff Van Houten · ‎01-01-2013

Been awhile since I messed with a fortigate but I would first try changing the phase 2 remote address to 10.0.0,0/24. If that is the "interesting traffic" statement, it doesn't match what you have on the Cisco. After that, try changing the phase 1 Ike mode to something other than "aggressive".

Sent from Cisco Technical Support iPad App

View solution in original post

Hardik Vaidh · ‎01-01-2013

without NAT how can you ping your peer.. ?

check generic comfiguration of the IPsec site to site VPN

rypto isakmp policy 10

encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

Extended IP access list 100 (NAT Access list)

deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11

deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22

permit ip any any

Please rate this if helpful

View solution in original post

Hardik Vaidh · ‎01-02-2013

good as per configuration phase 1 & 2 should b up

ip route 0.0.0.0 0.0.0.0 192.168.43.75 is wrong bcoz u set ur peer as 192.168.43.75

ip route means suppose your public ip is 192.168.11.1 then u have to set

ip route 0.0.0.0 0.0.0.0 192.168.11.2 means 192.168.11.2 is your isp end.

second

as per your configuration interface FastEthernet0/0 for wan right ?

access-list 101 permit ip 10.0.0.0 0.0.0.255 host

after then configure NAT

access list 100 permit ip any any

access list 100 deny ip 10.0.0.0 0.0.0.255 host

int fa0/0 (wan interface)

ip nat outside

int fa0/1 (local interface)

ip nat inside

View solution in original post

Jeff Van Houten · ‎01-01-2013

Been awhile since I messed with a fortigate but I would first try changing the phase 2 remote address to 10.0.0,0/24. If that is the "interesting traffic" statement, it doesn't match what you have on the Cisco. After that, try changing the phase 1 Ike mode to something other than "aggressive".

Sent from Cisco Technical Support iPad App

m_sadeghpour · ‎01-01-2013

Tnx for your prompt reply Jeff.

I changed the phase 2 remote address to the 10.0.0.0/24, as u mentioned, and changed the phase 1 IKE from agressive to the main mode as well, but still is not functioning.

the result of "show crypto session" command in the cisco router is appeared as follow:

R1#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-IDLE

Peer: 192.168.43.75 port 500

IKE SA: local 192.168.43.195/500 remote 192.168.43.75/500 Active

IKE SA: local 192.168.43.195/500 remote 192.168.43.75/500 Inactive

IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.10.10.0/255.255.255.0

Active SAs: 0, origin: crypto map

what whould u suggest me to do to troubleshoot this scenario?

Tnx

Hardik Vaidh · ‎01-01-2013

dear mohammad

can u share your NAT configuration. you have deny 192.168.43.195/500 remote 192.168.43.75/500 from you NAT ACL. as per your above configuration phase 1 &2 is correct that y only tunnel status showing up. problem with access list bcoz your packet is nt traveling via tunnel properly so try to push in tunnel.

check and share #sh cry ipsec sa peer 192.168.43.75

m_sadeghpour · ‎01-01-2013

Dear Hardik

There is not any configured NAT in the Cisco router or Fortigate Firewall and the only access list is defined on the cisco R1 is 101 access list, which is:

Access-list:101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

the result of the command u mentioned is:

R1#sh crypto ipsec sa peer 192.168.43.75

interface: FastEthernet0/0

Crypto map tag: R1_to_Fortigate100A, local addr 192.168.43.195

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer 192.168.43.75 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 220, #pkts encrypt: 220, #pkts digest: 220

#pkts decaps: 208, #pkts decrypt: 208, #pkts verify: 208

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 30, #recv errors 2

local crypto endpt.: 192.168.43.195, remote crypto endpt.: 192.168.43.75

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x1165BD35(291880245)

inbound esp sas:

spi: 0xB9A26944(3114428740)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: R1_to_Fortigate100A

sa timing: remaining key lifetime (k/sec): (4448927/1337)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1165BD35(291880245)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: R1_to_Fortigate100A

sa timing: remaining key lifetime (k/sec): (4448926/1333)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Hardik Vaidh · ‎01-01-2013

without NAT how can you ping your peer.. ?

check generic comfiguration of the IPsec site to site VPN

rypto isakmp policy 10

encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

Extended IP access list 100 (NAT Access list)

deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11

deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22

permit ip any any

Please rate this if helpful

m_sadeghpour · ‎01-02-2013

Thank you all for your replies

We got another problem now.

The tunnel would be up and active IF the first packet is sent from the Fortigate firewall not Cisco router, otherwise, the tunnel won’t be up. in othre words, the first packet must be sent to the tunnel from the network, which is behind the Fortigate to make the tunnel active.

What could be the possible problem?

Hardik Vaidh · ‎01-02-2013

Dear Mohammad,

see you said your tunnel is up. that means your phase 1 & 2 parameter match with your peer that y tunnel is up. but packet wil nt travel inside the tunnel it will travel over Internet that means something missing in routing or NAT.

show tracert in one system and check

can u share some configuration here after that i will give u some solution

Please rate this if helpful

m_sadeghpour · ‎01-02-2013

Dear Hardik,

the configuration of the Fortigate Firewall is inserted as 2 jpg files and the running configuratiin of the Cisco Router has been pasted as follow:

R1#sh run

Building configuration...

Current configuration : 1286 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R1

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco1 address 192.168.43.75

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto map R1_to_Fortigate100A 10 ipsec-isakmp

set peer 192.168.43.75

set transform-set myset

match address 101

interface FastEthernet0/0

ip address 192.168.43.195 255.255.255.0

duplex auto

speed auto

crypto map R1_to_Fortigate100A

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.43.75

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

line con 0

logging synchronous

line aux 0

line vty 0 4

end

R1#

Hardik Vaidh · ‎01-02-2013

good as per configuration phase 1 & 2 should b up

ip route 0.0.0.0 0.0.0.0 192.168.43.75 is wrong bcoz u set ur peer as 192.168.43.75

ip route means suppose your public ip is 192.168.11.1 then u have to set

ip route 0.0.0.0 0.0.0.0 192.168.11.2 means 192.168.11.2 is your isp end.

second

as per your configuration interface FastEthernet0/0 for wan right ?

access-list 101 permit ip 10.0.0.0 0.0.0.255 host

after then configure NAT

access list 100 permit ip any any

access list 100 deny ip 10.0.0.0 0.0.0.255 host

int fa0/0 (wan interface)

ip nat outside

int fa0/1 (local interface)

ip nat inside