Hi,

I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.

The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.

Configuration from the ASA:

crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
 protocol esp encryption 3des
 protocol esp integrity sha-1

crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800

crypto map VPN interface outside

crypto ikev2 policy 10
 encryption aes-256 3des
 integrity sha256 sha
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key blablabla
 ikev2 local-authentication pre-shared-key blablabla

Debugs say that there is no matching policy:

IKEv2-PROTO-3: (97): Get peer authentication method

IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x

IKEv2-PROTO-3: (97): Verify authentication data

IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15

IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1:  3DES SHA96

IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policy