Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
15
Helpful
3
Replies

Establishing an IPsec tunnel between an ASA 5516 and a Fortigate 501e

Go to solution
whitby.charles
Level 1
Level 1

‎02-15-2022 06:42 AM

We are trying to set up an IPsec tunnel between a Cisco 5516 on the remote side and a Fortigate 501e running 6.4.6 software on my side.  We are using 3DES/SHA/DH Grp 2 for Phase 1 and Phase 2 on both sides.

 

If communications initiate from the Cisco side things work as expected.  However if they initiate from the Fortigate side they fail, with the Cisco side reporting Phase 2 encapsulation errors.  From the Fortigate side the tunnel looks to be up with no issue.

 

We've double checked settings, routing. policies, etc. and they all seem to match

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-15-2022 06:46 AM - edited ‎02-15-2022 06:52 AM

@whitby.charles check PFS is or is not enabled on both peer devices, align the configuration.

Make sure both devices can be both the initiator and receiver.

 

Please provide the errors for review.

 

FYI, use AES instead of 3DES, ideally SHA2 and DH group 14, 19, 20, 21 or anything stronger than 2. On newer Cisco releases these older weaker algorithms have been depreciated as they are weaker and insecure.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-15-2022 06:46 AM - edited ‎02-15-2022 06:52 AM

@whitby.charles check PFS is or is not enabled on both peer devices, align the configuration.

Make sure both devices can be both the initiator and receiver.

 

Please provide the errors for review.

 

FYI, use AES instead of 3DES, ideally SHA2 and DH group 14, 19, 20, 21 or anything stronger than 2. On newer Cisco releases these older weaker algorithms have been depreciated as they are weaker and insecure.

Go to solution
whitby.charles
Level 1
Level 1

‎02-15-2022 07:02 AM

whitbycharles_0-1644937300594.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to whitby.charles

‎02-15-2022 07:06 AM

@whitby.charles as per the cisco docsfor that error code 402116

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs4.html#con_4772678

 

Recommended Action Contact the administrator of the peer and compare policy settings.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents