Solved: IPSec Tunnel Issue: FortiGate and Cisco ASA Phase 2 Mismatch

MD Irshad Ansari · ‎09-30-2025

Hi Everyone,
Recently while configuring a site-to-site VPN between a FortiGate firewall and a Cisco ASA, I faced an interesting issue: IPSec tunnel Phase 1 was up, but Phase 2 wouldn’t establish.

The root cause: mismatched encryption/authentication algorithms.
I solved it by aligning Phase 2 proposals (AES-256/SHA256) on both devices.

My question to the community:

Has anyone else faced similar Phase 2 mismatch issues across multi-vendor firewalls?
Do you prefer setting defaults or explicitly specifying Phase 2 parameters?

Looking forward to your experiences

Rob Ingram · ‎09-30-2025

Hi @MD Irshad Ansari multi-vendor VPNs are usually troublesome. I would recommend always explictly configuring the IKE/IPSec protocols rather than use the vendor defaults, ensuring the strongest crypto is used. Perhaps one vendor was using AES-256 (cbc) and the other AES-256 (gcm), these are different and must match.

View solution in original post

Rob Ingram · ‎09-30-2025

Hi @MD Irshad Ansari multi-vendor VPNs are usually troublesome. I would recommend always explictly configuring the IKE/IPSec protocols rather than use the vendor defaults, ensuring the strongest crypto is used. Perhaps one vendor was using AES-256 (cbc) and the other AES-256 (gcm), these are different and must match.

MD Irshad Ansari · ‎09-30-2025

Hi Rob,

Thanks a lot for your detailed explanation You’re absolutely right — with multi‑vendor VPNs, relying on vendor defaults usually causes mismatches. In my case, FortiGate was using AES‑256 (cbc) while the Cisco ASA was expecting AES‑256 (gcm), so Phase 2 negotiation was failing.

After explicitly defining AES‑256/SHA256 on both ends, the tunnel came up successfully. I’ll definitely follow your advice going forward and always define IKE/IPSec proposals explicitly instead of depending on defaults.

Appreciate your guidance and experience