Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
1
Replies

Cannot connect site-to-site vpn to Fortigate100D using CISCO 881 router

yongsan1980
Level 1
Level 1

‎10-04-2016 08:10 PM - edited ‎03-08-2019 07:40 AM

Hi, I am trying to create IPsec connection between my CISCO 881 router to a fortigate 100D. But it will always fail at P1 proposal with the following error with debug on: IPSEC(ipsec_process_proposal): proxy identities not supported What could be the issue? Here is my running config: show run Building configuration... Current configuration : 2254 bytes ! ! Last configuration change at 06:19:23 UTC Tue Oct 4 2016 ! NVRAM config last updated at 06:19:24 UTC Tue Oct 4 2016 ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname XX ! boot-start-marker boot-end-marker ! enable secret 5 XXXXX enable password XXXXX ! no aaa new-model memory-size iomem 10 ! ! no ip source-route ! ! ! ip dhcp pool DHCPpool import all network 192.168.2.0 255.255.255.0 dns-server 8.8.8.8 8.8.4.4 default-router 192.168.2.99 ! ! ip cef no ip domain lookup ip name-server 8.8.8.8 ip name-server 8.8.4.4 no ipv6 cef license udi pid CISCO881-K9 sn FGL152926YX ! ! ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 5 crypto isakmp key 12345 address XX.XX.XX.XX ! ! crypto ipsec transform-set IM esp-3des esp-md5-hmac ! crypto map IM-MAP 2 ipsec-isakmp set peer XX.XX.XX.XX set security-association lifetime seconds 86400 set transform-set IM set pfs group5 match address 101 ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address dhcp ip access-group 102 in ip nat outside ip virtual-reassembly duplex auto speed auto crypto map IM-MAP ! interface Vlan1 ip address 192.168.2.99 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 dhcp ! ip access-list extended NAT permit ip 192.168.2.0 0.0.0.255 any permit udp any eq bootps any eq bootpc ip access-list extended inside-nat-pool permit ip 192.168.2.0 0.0.0.255 any ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 101 permit ip 192.168.77.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit udp host XX.XX.XX.XX any eq isakmp access-list 102 permit esp host XX.XX.XX>XX any ! ! ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password XXXXXX login ! scheduler max-task-time 5000 end

Labels:
Preview file
4 KB
0 Helpful
1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

‎10-04-2016 09:33 PM

Hey that alert proxys not supported means your acls don't match both sides for interesting traffic , please check both acls applied each side should be identical , other than that looking at your config looks ok for Cisco side
0 Helpful
Customers Also Viewed These Support Documents