I agree with @Georg Pauwen that the lack of configuration of address translation may be an issue. But there are more important issues that you need to address. The most important is that you indicate that the Fortinet expects the remote subnet to be 192.168.70.0. But there is nothing configured on the Cisco about that network. You should configure an IP address for vlan 1 to be in that network.

I also note that you do not have any routing statements (no static routes and no dynamic routing). I am not clear whether the Cisco will learn and use a default route from its DHCP negotiation with the ISP. In testing you should verify whether the Cisco has a default route in its routing table. If not something like this should be helpful

ip route 0.0.0.0 0.0.0.0 dhcp

Once you have configured ip addressing for vlan 1 and have verified the default route let us know if the vpn works any better. If it still does not work I would suggest as a next step in the troubleshooting would be to enable debug for isakmp negotiation. Lets see if the router is attempting to negotiate phase 1.

Hi,

Ip nat outside added on int f4
And dhcp pool created as follows
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ip dhcp excluded-address 192.168.70.1 192.168.70.10
!
ip dhcp pool INTERNAL
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 8.8.8.8 4.2.2.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
My laptop is connected to port 3 on Cisco 800.
I can ping 8.8.8.8 from Cisco 800 but cannot ping from my laptop
Laptop got an Ip address from Cisco 800 DHCP
!
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.70.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.70.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Sh ip route from Cisco 800
Router#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.70.1 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected
is directly connected
is directly connected, FastEthernet4
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, FastEthernet4
L 192.168.0.23/32 is directly connected, FastEthernet4
192.168.70.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.70.0/24 is directly connected, Vlan1
L 192.168.70.2/32 is directly connected, Vlan1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
added the following ip route statements by by one to see if there is any change but nothing helped.
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 192.168.70.1
ip route 0.0.0.0 0.0.0.0 dhcp
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
all debug outputs are empty
Router#debug crypto ipsec
Crypto IPSEC debugging is on
Router#debug crypto isakmp
Crypto ISAKMP debugging is on

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Vlan 1 has an ip address

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now i going to try new configuration on another Cisco 800 for VTI tunnel and keep this configuration just in case you want me to to try something else.

Please see attached sh run

Thanks for help

Tazio

Hello,

the only default route you need is this:

ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp

Hello,

Thanks for your quick reply.

Removed all default route and added only ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp

I think ISAKMP phase 1 is not even coming up.

!!!!!!!!!!!!!!!

Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

!!!!!!!!!!!!!!!!!!

This is how phase one is configured on Cisco 800

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXX address (WAN IP FOR FORTINET)

Please see attached file for options for phase 1 on Fortinet.

Thanks

Tazio

Hello,

does your crypto policy have:

crypto isakmp policy 10
encr 3des

--> hash md5
authentication pre-share
group 2
lifetime 28800

?

Hello,

I have changed the config as follows but still nothing

crypto isakmp policy 10
encr 3des
hash md5<=============added this. It was missing
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXX address (FORTINET WAN IP ADDRESS)

I have checked the key again to make sure there is no typo

Phase 1 still not coming up.

Thanks

Tazio

Hello,

from the Cisco, post the output of:

debug crypto isakmp

debug crypto ipsec

Hi,

The debug output is not giving anything

debug all shows lots of information but not the 2 command you asked for.

Router#debug crypto isakmp
Crypto ISAKMP debugging is on

Router#debug crypto ipsec
Crypto IPSEC debugging is on

Thanks

Tazio

Hello,

what happens if you send a ping from a local host to a host on the other side (that is, a ping within the IPSec domain) ? 

Hi,

Ping does not work if I try to ping a host on either side but I ping 8.8.8.8 or google.com.

I am reading some more documents for Cisco VPN and tried a different VPN which is dmvpn and with this one phase one is successful but cannot get phase 2 up.

I am not sure hoe dmvpn works but if this is also an option I can post the show run.

Thanks

Tazio