02-09-2012 01:09 AM
Hi,
I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates "All IPSec SA proposals found unacceptable!" Can someone give some light to solve this problem?
02-09-2012 02:18 AM
Hi John,
Can you take debugs of level 255 and paste the debugs right where it says all ipsec SA proposals found unacceptable?
You need to match crypto access list on both end. Can you verify the settings at Fortigate end for crypto access list? The range option in fortigate does not work with Cisco. Can you send the snap shot of both end phase 1 and 2 with crypto access list?
Thanks,
Varinder
02-09-2012 02:48 AM
Here it is.
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing hash payload
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing SA payload
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing nonce payload
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload
Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.21.0.0--255.255.0.0
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received remote IP Proxy Subnet data in ID Payload: Address 10.21.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload
Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.177.177.0--255.255.255.0
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received local IP Proxy Subnet data in ID Payload: Address 10.177.177.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, QM IsRekeyed old sa not found by addr
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 10...
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map VPN-MAP, seq = 20 is a successful match
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, IKE Remote Peer configured for crypto map: VPN-MAP
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing IPSec SA payload
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, All IPSec SA proposals found unacceptable!
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, sending notify message
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing blank hash payload
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing ipsec notify payload for msg id a0425c41
Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing qm hash payload
Dec 02 20:51:18 [IKEv1]: IP = 210.24.168.8, IKE_DECODE SENDING Message (msgid=391c082f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
02-09-2012 02:50 AM
I think the key phrase here is:
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0
Crypto ACL doesn't match on both sides.
HTH. Please rate if it was helpful.
02-09-2012 03:00 AM
Crypto map sequence 10 is for a different group and I have different crypto maps. See details below.
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...
Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map VPN-MAP, seq = 20 is a successful match
02-09-2012 03:13 AM
Ok, you rigth. Looking forward...
02-09-2012 03:29 AM
Would you know someone who has successfully establish a vpn between fortigate and cisco?
02-09-2012 04:03 AM
new update.
2 IKE Peer: 210.24.168.8
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
but after a while it drops. Any info regarding this?
02-09-2012 08:37 AM
John,
Try to do following things
1. Can you disable the keepalives on both end ?
2. Is crypto access list on fortigate is subnet type and not network range? If it is range change it to subnet.
Let me know if it works
Varinder
02-09-2012 06:08 PM
Where do I disable the keepalives?
02-09-2012 06:49 PM
i think the command is deprecated. i cannot issue the command in ASA.
02-09-2012 08:37 PM
Keepalives on ASA are disabled with follwoing command
tunnelgroup x.x.x.x ipsec attributes
isakmp keepalives disable
--It is required to be disabled on peer end as well.
Varinder
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide