Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
0
Helpful
1
Replies

QM_IDLE ph1 on Cisco but ph1 error FortiGate 110C

danjor
Level 1
Level 1

‎04-10-2013 08:06 AM

Hi,

it seams my phase 1 is up and nothing on ph2 but on the remote site the log shows an error on phase 1 (status negotiate_error and error reason peer notification)

I’m not sure if the Cisco can do with the encryption set the AES256 as in the config it shoes only esp-aes

Remote perquisites:

  • ••· Main Mode
  • ••· PSK, defined and done both the same
  • ••· IKE Version 1
  • ••· Phase1 Proposal
    • •o Encryption AES 256
    • •o Authentication SHA1
    • •o DH Group 5
    • •o Keylife 28800
    • ••· XAUTH disabled
    • ••· NAT Traversal enabled
    • ••· Dead Peer Detection enabled
    • ••· Phase2 Proposal
      • •o Encryption AES 256
      • •o Authentication SHA1
      • •o DH Group 5
      • •o Keylife 1800
      • •o PFS enabled
      • •o Replay detection enabled

Config from my router, debug info and other sh commands in the attached file as it is too long to delete all the IPs, etc in the log/debug/traces.

BB.BB.BB.BB is local interface public IP to Internet (Cisco1841)

AA.AA.AA.AA is remote interface public IP to Internet where I have to connect the VPN (FortiGate)

Config info extract :

crypto isakmp policy 30

encr aes 256

authentication pre-share

group 5

lifetime 28800

crypto isakmp key ******************* address AA.AA.AA.AA no-xauth

crypto isakmp keepalive 10

crypto isakmp xauth timeout 90

crypto ipsec transform-set pfs-set esp-aes esp-sha-hmac

crypto map mymap 9 ipsec-isakmp

set peer AA.AA.AA.AA

set security-association lifetime seconds 1800

set transform-set pfs-set

set pfs group5

match address 134

crypto map mymap 10 ipsec-isakmp dynamic dynmap ! for VPN client configured and those are working

interface FastEthernet0/0

crypto map mymap

sh cry isa sa

dst src state conn-id slot status

BB.BB.BB.BB AA.AA.AA.AA QM_IDLE 69 0 ACTIVE

sh cry ips sa

interface: FastEthernet0/0

Crypto map tag: mymap, local addr BB.BB.BB.BB

protected vrf: (none)

local ident (addr/mask/prot/port): (10.70.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.7.0.0/255.255.255.0/0/0)

current_peer AA.AA.AA.AA port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: BB.BB.BB.BB , remote crypto endpt.: AA.AA.AA.AA

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Other infos:

NAT is denyed between both NW

ACL is for the tunnel :

Extended IP access list 134

10 permit ip 10.70.0.0 0.0.0.255 10.7.0.0 0.0.0.255 (43 matches)

The matches are from my ping tests (also 43 in the nonat ACL)

Can someone help ?

Thanks,

Daniel

Labels:
15358102-info.txt.txt.zip
0 Helpful
1 Reply 1

danjor
Level 1
Level 1

‎04-11-2013 12:55 AM

I fogot to give the version of the 1841:

c1841-advipservicesk9-mz.124-3a.bin

Hope this helps also....

      

SOLVED on 04/14/13

Solved with a TAC case as here no answer.

Solution:

crypto ipsec transform-set pfs-set esp-aes 256 esp-sha-hmac to correct the phase 2 error

Thanks TAC engineer

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents