02-15-2022 06:42 AM
We are trying to set up an IPsec tunnel between a Cisco 5516 on the remote side and a Fortigate 501e running 6.4.6 software on my side. We are using 3DES/SHA/DH Grp 2 for Phase 1 and Phase 2 on both sides.
If communications initiate from the Cisco side things work as expected. However if they initiate from the Fortigate side they fail, with the Cisco side reporting Phase 2 encapsulation errors. From the Fortigate side the tunnel looks to be up with no issue.
We've double checked settings, routing. policies, etc. and they all seem to match
Solved! Go to Solution.
02-15-2022 06:46 AM - edited 02-15-2022 06:52 AM
@whitby.charles check PFS is or is not enabled on both peer devices, align the configuration.
Make sure both devices can be both the initiator and receiver.
Please provide the errors for review.
FYI, use AES instead of 3DES, ideally SHA2 and DH group 14, 19, 20, 21 or anything stronger than 2. On newer Cisco releases these older weaker algorithms have been depreciated as they are weaker and insecure.
02-15-2022 06:46 AM - edited 02-15-2022 06:52 AM
@whitby.charles check PFS is or is not enabled on both peer devices, align the configuration.
Make sure both devices can be both the initiator and receiver.
Please provide the errors for review.
FYI, use AES instead of 3DES, ideally SHA2 and DH group 14, 19, 20, 21 or anything stronger than 2. On newer Cisco releases these older weaker algorithms have been depreciated as they are weaker and insecure.
02-15-2022 07:02 AM
02-15-2022 07:06 AM
@whitby.charles as per the cisco docsfor that error code 402116
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs4.html#con_4772678
Recommended Action Contact the administrator of the peer and compare policy settings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide