I'm trying to set up a GRE tunnel with IPSec between my 3945 router and a Fortinet 60F firewall, but the phase 2 isn't working.

Cisco 3945, IOS 15.1(1r)T5

Fortigate 60G, FortiOS 7.0.10

I had problems with phase 1 configs, but after adjusting it, still no go for phase 2.

My config:

POLICY ISAKMP/IPSEC

crypto isakmp policy 5
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800
! 
crypto isakmp key PASSWORD address 10.10.10.6
!
crypto ipsec transform-set TSET_01 esp-sha256-hmac esp-aes
 mode transport

CRYPTO MAP
crypto map CMAP_01 10 ipsec-isakmp 
 set peer 10.10.10.6
 set transform-set TSET_01
 set pfs group14
 match address 109

TUNNEL

interface Tunnel4
 ip address 10.234.121.17 255.255.255.252
 ip tcp adjust-mss 1300
 load-interval 30
 keepalive 3 2
 tunnel source 10.10.10.5
 tunnel destination 10.10.10.6
end

After adjusting phase 1, I still get those logs:

006960: *Jun 14 10:16:35.938 GMT-3: ISAKMP (1215): received packet from 10.10.10.6 dport 500 sport 500 Global (R) QM_IDLE      
006961: *Jun 14 10:16:35.938 GMT-3: ISAKMP: set new node -621745775 to QM_IDLE      
006962: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215): processing HASH payload. message ID = 3673221521
006963: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215): processing SA payload. message ID = 3673221521
006964: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215):Checking IPSec proposal 1
006965: *Jun 14 10:16:35.938 GMT-3: ISAKMP: transform 1, ESP_AES 
006966: *Jun 14 10:16:35.938 GMT-3: ISAKMP:   attributes in transform:
006967: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      SA life type in seconds
006968: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      SA life duration (basic) of 28800
006969: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      encaps is 2 (Transport)
006970: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      key length is 256
006971: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      authenticator is HMAC-SHA256
006972: *Jun 14 10:16:35.938 GMT-3: ISAKMP:      group is 14
006973: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215):atts are acceptable.
006974: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215): IPSec policy invalidated proposal with error 256
006975: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215): phase 2 SA policy not acceptable! (local 10.10.10.5 remote 10.10.10.6)
006976: *Jun 14 10:16:35.938 GMT-3: ISAKMP: set new node -1729133300 to QM_IDLE      
006977: *Jun 14 10:16:35.938 GMT-3: ISAKMP:(1215):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 589788644, message ID = 2565833996

I've been working with the guys who support the Fortigate, and it seems that Fortigate doesn't have the same algorithms that Cisco has for phase 2.

Here is the list of algorithms for encryption and authorization, in my router:

ROUTER3945(config)#crypto ipsec transform-set TSET_01 ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

ROUTER3945(config)#crypto ipsec transform-set TSET_01 ah-sha256-hmac ?
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

 And here is the list on Fortigate side:

FORTIGATE_FW(IPSEC-PARTNER-PRI) # set proposal 
des-md5           des-md5
des-sha1          des-sha1
des-sha256        des-sha256
des-sha384        des-sha384
des-sha512        des-sha512
3des-md5          3des-md5
3des-sha1         3des-sha1
3des-sha256       3des-sha256
3des-sha384       3des-sha384
3des-sha512       3des-sha512
aes128-md5        aes128-md5
aes128-sha1       aes128-sha1
aes128-sha256     aes128-sha256
aes128-sha384     aes128-sha384
aes128-sha512     aes128-sha512
aes192-md5        aes192-md5
aes192-sha1       aes192-sha1
aes192-sha256     aes192-sha256
aes192-sha384     aes192-sha384
aes192-sha512     aes192-sha512
aes256-md5        aes256-md5
aes256-sha1       aes256-sha1
aes256-sha256     aes256-sha256
aes256-sha384     aes256-sha384
aes256-sha512     aes256-sha512
aria128-md5       aria128-md5
aria128-sha1      aria128-sha1
aria128-sha256    aria128-sha256
aria128-sha384    aria128-sha384
aria128-sha512    aria128-sha512
aria192-md5       aria192-md5
aria192-sha1      aria192-sha1
aria192-sha256    aria192-sha256
aria192-sha384    aria192-sha384
aria192-sha512    aria192-sha512
aria256-md5       aria256-md5
aria256-sha1      aria256-sha1
aria256-sha256    aria256-sha256
aria256-sha384    aria256-sha384
aria256-sha512    aria256-sha512
seed-md5          seed-md5
seed-sha1         seed-sha1
seed-sha256       seed-sha256
seed-sha384       seed-sha384
seed-sha512       seed-sha512

There is a way to make them work together?