04-10-2013 08:06 AM
Hi,
it seams my phase 1 is up and nothing on ph2 but on the remote site the log shows an error on phase 1 (status negotiate_error and error reason peer notification)
I’m not sure if the Cisco can do with the encryption set the AES256 as in the config it shoes only esp-aes
Remote perquisites:
Config from my router, debug info and other sh commands in the attached file as it is too long to delete all the IPs, etc in the log/debug/traces.
BB.BB.BB.BB is local interface public IP to Internet (Cisco1841)
AA.AA.AA.AA is remote interface public IP to Internet where I have to connect the VPN (FortiGate)
Config info extract :
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key ******************* address AA.AA.AA.AA no-xauth
crypto isakmp keepalive 10
crypto isakmp xauth timeout 90
crypto ipsec transform-set pfs-set esp-aes esp-sha-hmac
crypto map mymap 9 ipsec-isakmp
set peer AA.AA.AA.AA
set security-association lifetime seconds 1800
set transform-set pfs-set
set pfs group5
match address 134
crypto map mymap 10 ipsec-isakmp dynamic dynmap ! for VPN client configured and those are working
interface FastEthernet0/0
crypto map mymap
sh cry isa sa
dst src state conn-id slot status
BB.BB.BB.BB AA.AA.AA.AA QM_IDLE 69 0 ACTIVE
sh cry ips sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr BB.BB.BB.BB
protected vrf: (none)
local ident (addr/mask/prot/port): (10.70.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.7.0.0/255.255.255.0/0/0)
current_peer AA.AA.AA.AA port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: BB.BB.BB.BB , remote crypto endpt.: AA.AA.AA.AA
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Other infos:
NAT is denyed between both NW
ACL is for the tunnel :
Extended IP access list 134
10 permit ip 10.70.0.0 0.0.0.255 10.7.0.0 0.0.0.255 (43 matches)
The matches are from my ping tests (also 43 in the nonat ACL)
Can someone help ?
Thanks,
Daniel
04-11-2013 12:55 AM
I fogot to give the version of the 1841:
c1841-advipservicesk9-mz.124-3a.bin
Hope this helps also....
SOLVED on 04/14/13
Solved with a TAC case as here no answer.
Solution:
crypto ipsec transform-set pfs-set esp-aes 256 esp-sha-hmac to correct the phase 2 error
Thanks TAC engineer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: