Do you have any other tunnels configured on this ASA? You have a lot of parameters defined for transform sets, authentication types, hash and encryption.

What did the Fortigate admin provide you?

PFS is currently causing me issues between vendors. You have PFS configured everywhere which could be causing a problem.
 

Yes I have another remote IPSec tunnel configured on ASA through which I am accessing ASA remotely.  Yes we have PFS configured on both side with group 2. Fortigate admin has provided me peer ip, phase1 and phase2 config with PSK and PFS that we used. 

It looks like you are encountering the problem in the ISAKMP phase 1 negotiation. I would start by re-configuring the shared key (and probably ask the administrator of the fortigate to do the same. If it still does not work then I would try running debug for isakmp on your side and see if it tells you a bit more about where the problem is.

HTH

Rick

I am setting up site to site again. I will update once i configured it.

New problem arise after i removed tunnel and choose internal DNS. I saw that tunnel comes up from both ends. I can ping IP but i cannot use any internal services or RDP services. Can you tell me which ACL i should implement now?

I have already allow ACL for IP service between both ends.

: Saved

:

ASA Version 9.1(1) 

!

hostname sfasa-01

domain-name xyz.com

enable password vee3QRaabJe3c8XP encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPNpool 10.11.1.101-10.11.1.120 mask 255.255.255.0

!

interface GigabitEthernet0/0

 nameif Outside

 security-level 0

 ip address x.x.x.x 255.255.255.252 

!

interface GigabitEthernet0/1

 nameif Inside

 security-level 100

 ip address 10.11.1.1 255.255.255.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 nameif DMZ

 security-level 50

 ip address b.b.b.b 255.255.255.0 

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

banner exec ------  This is xyz Inc Property. If you do not have permission than leave now -------

banner login ------  This is xyz Inc Property. If you do not have permission than leave now -------

banner asdm ------  This is xyz Inc Property. If you do not have permission than leave now -------

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup Outside

dns domain-lookup Inside

dns domain-lookup management

dns server-group DefaultDNS

 domain-name xyz.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network GENERIC_ALL

 subnet 0.0.0.0 0.0.0.0

object network Internal

 subnet 10.11.1.0 255.255.255.0

object network xyz-GRP2

 subnet 10.1.1.0 255.255.255.0

 description GRP2

object network xyz-GRP3

 subnet 10.13.0.0 255.255.0.0

 description GRP3

object network xyz-GRP4

 subnet 10.1.20.0 255.255.255.0

 description GRP4

object network xyz-GRP5

 subnet 10.1.50.0 255.255.255.0

 description GRP5

object network xyz-GRP6

 subnet 10.1.25.0 255.255.255.0

 description GRP6

object network outside_gateway

 host a.a.a.a

object network NETWORK_OBJ_10.11.1.0_24

 subnet 10.11.1.0 255.255.255.0

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group network xyz-Network

 description exclude SF

 network-object object xyz-GRP2

 network-object object xyz-GRP3

 network-object object xyz-GRP4

 network-object object xyz-GRP5

 network-object object xyz-GRP6

object-group service IKE udp

 description for test

 port-object eq 4500

 port-object eq isakmp

access-list Outside_cryptomap extended permit ip 10.11.1.0 255.255.255.0 object-group xyz-Network 

access-list Outside_access_in extended permit tcp any 172.16.10.0 255.255.255.0 eq www 

access-list xyz_splitTunnelAcl standard permit 10.11.1.0 255.255.255.0 

access-list Outside_access_in_1 extended permit icmp any any 

pager lines 24

logging enable

logging buffered debugging

logging trap debugging

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

ip verify reverse-path interface Outside

ip verify reverse-path interface Inside

ip verify reverse-path interface management

no failover

icmp unreachable rate-limit 10 burst-size 5

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source dynamic GENERIC_ALL interface inactive

nat (Inside,Outside) source static NETWORK_OBJ_10.11.1.0_24 NETWORK_OBJ_10.11.1.0_24 destination static xyz-Network xyz-Network no-proxy-arp route-lookup

!

object network Internal

 nat (Inside,Outside) dynamic interface

access-group Outside_access_in_1 in interface Outside

route Outside 0.0.0.0 0.0.0.0 a.a.a.a 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

http server enable

http 10.11.1.0 255.255.255.0 Inside

http 10.11.1.0 255.255.255.0 Outside

http 192.158.1.1 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac 

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES-MD5

 protocol esp encryption 3des

 protocol esp integrity md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 1 match address Outside_cryptomap

crypto map Outside_map 1 set pfs 

crypto map Outside_map 1 set peer y.y.y.y 

crypto map Outside_map 1 set ikev1 transform-set myset

crypto map Outside_map 1 set reverse-route

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpool policy

crypto ca server 

 shutdown

 cdp-url http://sfasa.xyz.com/+CSCOCA+/asa_ca.crl

 issuer-name CN=sfasa.xyz.com

 smtp from-address admin@sfasa.xyz.com

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 50

 encryption 3des

 integrity md5

 group 2

 prf md5

 lifetime seconds 86400

crypto ikev1 enable Outside

crypto ikev1 policy 5

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication crack

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication crack

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 120

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 150

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh 10.11.1.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd address 10.11.1.10-10.11.1.100 Inside

dhcpd dns 10.13.1.5 10.1.1.5 interface Inside

dhcpd domain xyz.com interface Inside

dhcpd enable Inside

!

dhcpd address b.b.b.a-b.b.b.z DMZ

dhcpd dns 208.67.222.222 208.67.220.220 interface DMZ

dhcpd enable DMZ

!

dhcpd address 192.168.1.2-192.168.1.10 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy xyz internal

group-policy xyz attributes

 dns-server value 208.67.222.222 208.67.220.220

 vpn-tunnel-protocol ikev1 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value xyz_splitTunnelAcl

 default-domain value xyz.com

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

group-policy GroupPolicy_y.y.y.y internal

group-policy GroupPolicy_y.y.y.y attributes

 vpn-tunnel-protocol ikev1 

username user2 password ********* encrypted privilege 15

username user1 password ********* encrypted privilege 15

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y general-attributes

 default-group-policy GroupPolicy_y.y.y.y

tunnel-group y.y.y.y ipsec-attributes

 ikev1 pre-shared-key *****

tunnel-group xyz type remote-access

tunnel-group xyz general-attributes

 address-pool VPNpool

 default-group-policy xyz

tunnel-group xyz ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect pptp 

  inspect icmp error 

 class class-default

  user-statistics accounting

  set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:674e06895c717bd8d6a13a1d25c2cfb9

: end

no asdm history enable

What is the policy on the Fortigate? You don't seem to have any filtering on the ASA.

for fotigate it is 

config firewall address

    edit "all"

    next

    edit “asa Subnet"

        set associated-interface “asaport”

        set subnet 10.11.1.0 255.255.255.0

   next

end

config vpn ipsec phase1

edit “asa”

        set interface "asaport"

        set dhgrp 2

        set proposal 3des-md5

        set remote-gw x.x.x.x

        set psksecret ENC *******

    next

config vpn ipsec phase2

       edit “asa 10.1.20.0/24"

        set phase1name “asa”

        set proposal 3des-md5

        set dhgrp 2

        set dst-subnet 10.11.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 10.1.20.0 255.255.255.0

    next

    edit “asa 10.1.25.0/24"

        set phase1name “asa”

        set proposal 3des-md5

        set dhgrp 2

        set dst-subnet 10.11.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 10.1.25.0 255.255.255.0

    next

    edit "asa 10.1.50.0/24"

        set phase1name "asa"

        set proposal 3des-md5

        set dhgrp 2

        set dst-subnet 10.11.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 10.1.50.0 255.255.255.0

    next

    edit "asa 10.13.0.0/16"

        set phase1name "asa"

        set proposal 3des-md5

        set dhgrp 2

        set dst-subnet 10.11.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 10.13.0.0 255.255.0.0

    next

    edit "asa 10.1.1.0/24"

        set phase1name "asa"

        set proposal 3des-md5

        set dhgrp 2

        set dst-subnet 10.11.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 10.1.1.0 255.255.255.0

    next

end

config firewall policy

edit 40

        set srcintf "SrvToExtern1"

        set dstintf "asaport"

            set srcaddr "all"             

            set dstaddr "asa Subnet"             

        set action ipsec

        set schedule "always"

            set service "ANY"             

        set inbound enable

        set outbound enable

        set vpntunnel "asa"

    next

    edit 41

        set srcintf "IntToExtern1"

        set dstintf "asaport"

            set srcaddr "all"             

            set dstaddr "asa Subnet"             

        set action ipsec

        set schedule "always"

            set service "ANY"             

        set inbound enable

        set outbound enable

        set vpntunnel "asa"

    next

    edit 42

        set srcintf "DMZToExtern1"

        set dstintf "asaport"

            set srcaddr "all"             

            set dstaddr "asa Subnet"             

        set action ipsec

        set schedule "always"

            set service "ANY"             

        set inbound enable

        set outbound enable

        set vpntunnel "asa"

    next

end

I saw one more thing here. While on vpn, I can not ping any internal address. When i try to use any http service from remote network, it directly resolve to opendns serach website. should i just inherit DNS in vpn policy or should I just change it to our standard internal DNS address that we are using for all site. I can see DNS address belongs to OpenDNS.