Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
50720
Views
0
Helpful
5
Replies

IPSec VPN Fails Phase 2 with Fortigate yet works if initiated by peer

ToddB9876
Level 1
Level 1

‎05-08-2014 07:43 PM - edited ‎02-21-2020 07:38 PM

Hi All,

I've been working on this for a week and even involved a few people I know who are better at this than I am.  I'm trying to do a site-to-site VPN with a vendor; their end is managed 3rd party and I'm connecting to a Fortigate - I can not get a connection to establish from my end.  If they initiate the connection on their end it does work and I can ping across until the connection goes down - then I can not initiate it - it keeps failing at Phase 2.  I do not have access to the fortigate but I have screenshots so I'll post all the info field by field:

Fortigate Phase 1 - IP 111.111.111.111
Remote IP: 123.123.123.123 (obfuscated but I'll keep it consistent throughout this post)
Mode: Main (ID Protection) - as opposed to Aggressive
Auth Method: Preshared Key
Pre-shared Key: abc123
Peer options: Accept any peer ID
Local Gateway IP: Main Interface IP
P1 Proposal Encryption 3DES Authentication MD5
DH Group 2
Keylife: 28800
Local ID: Null
XAuth: Disable
NAT-traversal: Enable
Keepalive frequency: 10
Dead Peer Detection: Disabled

Phase 2:

P2 Proposal: Encryption - 3DES Authentication: MD5
Enable replay protection: false
Enable PFS: false
keylife: 3600 seconds
Quickmode selector: Source IP - 192.168.100.38 (peer's server - only thing we need to access)
Destination Address: 192.168.200.0/24 (my whole subnet)

That's all I know about the remote end. 

On my end - This is a Cisco 2911 - it uses DMVPN to connect to our branch office - this works mostly well (separate topic); you'll also see another VPN I'm attempting to create to my house - but this has not yet been successful either - that's to a Netgear UTM.  

Here's the sanitized config of the 2911 on my end:

2911#sh run
Building configuration...

Current configuration : 12955 bytes
!
! Last configuration change at 19:21:14 DST Thu May 8 2014 by me
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2911
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
!
no aaa new-model
!
clock timezone DST -8 0
clock summer-time DST recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.20.10.0 10.20.10.199
ip dhcp excluded-address 10.20.10.254
ip dhcp excluded-address 10.20.20.0 10.20.20.199
ip dhcp excluded-address 10.20.20.254
ip dhcp excluded-address 192.168.199.0 192.168.199.199
!
ip dhcp pool vlan10
 network 10.20.10.0 255.255.255.0
 domain-name corp.mydomain.com
 dns-server 10.20.10.10 10.20.10.11 8.8.8.8
 default-router 10.20.10.1
 lease 7
!
ip dhcp pool vlan20
 network 10.20.20.0 255.255.255.0
 domain-name corp.mydomain.com
 dns-server 10.20.10.10 10.20.10.11 8.8.8.8
 default-router 10.20.20.1
 lease 7
!
ip dhcp pool vlan99
 network 192.168.199.0 255.255.255.0
 domain-name mydomain.com
 dns-server 8.8.8.8 8.8.4.4
 default-router 192.168.199.1
!
!
no ip bootp server
no ip domain lookup
ip domain name corp.mydomain.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1212001072
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1212001072
 revocation-check none
 rsakeypair TP-self-signed-1212001072
!
!
crypto pki certificate chain TP-self-signed-1212001072
<***>
        quit
license udi pid CISCO2911/K9 sn ***
!
!
vtp interface g0/2.10
vtp version 2
username me *************
!
redundancy
!
!
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ****** address 222.222.222.222
crypto isakmp key ****** address 111.111.111.111 no-xauth
crypto isakmp key ****** address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS
!
!
crypto map outside 10 ipsec-isakmp
 set peer 222.222.222.222
 set transform-set TS
 match address MYHOME
crypto map outside 20 ipsec-isakmp
 set peer 111.111.111.111
 set transform-set TS
 match address VENDOR
!
!
!
!
!
interface Tunnel0
 description mGRE - DMVPN Tunnel
 ip address 172.16.240.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp network-id 62
 ip nhrp holdtime 600
 ip virtual-reassembly in
 ip virtual-reassembly out
 cdp enable
 tunnel source 123.123.123.123
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 description WAN HIGH SPEED
 ip address 123.123.123.123 255.255.255.240
 ip access-group 155 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 no cdp enable
 no mop enabled
 crypto map outside
!
interface GigabitEthernet0/1
 description PTP T1 to Branch for Voice
 ip address 172.16.254.10 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip virtual-reassembly out
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2.10
 description DATA VLAN 10 Default
 encapsulation dot1Q 10
 ip address 10.20.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2.20
 description VOICE Vlan
 encapsulation dot1Q 20
 ip address 10.20.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2.90
 description VENDOR VLAN 90
 encapsulation dot1Q 90
 ip address 192.168.190.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface GigabitEthernet0/2.99
 description DMZ VLAN 99
 encapsulation dot1Q 99
 ip address 192.168.199.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 service-module t1 clock source internal
!
interface FastEthernet0/1/0
 no ip address
!
interface FastEthernet0/1/1
 no ip address
!
interface FastEthernet0/1/2
 no ip address
!
interface FastEthernet0/1/3
 no ip address
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool glbl 123.123.123.123 123.123.123.123 prefix-length 24
ip nat pool poolMailServer 123.123.123.68 123.123.123.68 prefix-length 29
ip nat inside source list 99 pool glbl overload
ip nat inside source static tcp 10.20.10.12 80 123.123.123.76 8080 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.10.0.0 255.255.0.0 172.16.240.2 20
ip route 10.10.10.0 255.255.255.0 172.16.254.20 50
ip route 10.10.20.0 255.255.255.0 172.16.254.20
ip route 10.20.60.0 255.255.255.0 10.20.10.3
!
ip access-list extended VENDOR
 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended MYHOME
 permit ip 192.168.75.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended nonat
!
logging trap debugging
access-list 98 permit 192.168.75.0 0.0.0.255
access-list 99 permit 10.20.10.0 0.0.0.255
access-list 99 permit 10.20.20.0 0.0.0.255
access-list 99 permit 192.168.199.0 0.0.0.255
access-list 100 deny   ip 192.168.190.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit tcp any any
access-list 100 permit ip any any
access-list 155 permit tcp any host 123.123.123.68 eq smtp
access-list 155 permit tcp any host 123.123.123.68 eq 443
access-list 155 permit tcp any host 123.123.123.68 eq www
access-list 155 permit tcp any host 123.123.123.68 eq 993
access-list 155 permit tcp any host 123.123.123.68 eq 587
access-list 155 permit tcp any eq 587 host 123.123.123.68
access-list 155 permit tcp any eq www host 123.123.123.68
access-list 155 permit tcp any eq smtp host 123.123.123.68
access-list 155 permit tcp any eq 443 host 123.123.123.68
access-list 155 permit tcp any eq 993 host 123.123.123.68
access-list 155 deny   ip any host 123.123.123.68
access-list 155 permit ip any any
!
no cdp run
!
!
!
route-map nonat permit 10
 match ip address 110
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.1.1.1
end

 

 

If you see anything else glaring wrong I'm open to any advice!

Labels:
0 Helpful
5 Replies 5

ToddB9876
Level 1
Level 1

‎05-08-2014 07:51 PM

Here's the debug activity:

2911#debug crypto isakmp
Crypto ISAKMP debugging is on
2911#debug crypto ipsec
Crypto IPSEC debugging is on
2911#term mon
2911#ping 192.168.100.38 source 192.168.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.38, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1

000817: May  8 19:45:18.001 DST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 123.123.123.123:500, remote= 111.111.111.111:500,
    local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000818: May  8 19:45:18.001 DST: ISAKMP:(0): SA request profile is (NULL)
000819: May  8 19:45:18.001 DST: ISAKMP: Created a peer struct for 111.111.111.111, peer port 500
000820: May  8 19:45:18.001 DST: ISAKMP: New peer created peer = 0x2BB5AC0C peer_handle = 0x8000000C
000821: May  8 19:45:18.001 DST: ISAKMP: Locking peer struct 0x2BB5AC0C, refcount 1 for isakmp_initiator
000822: May  8 19:45:18.001 DST: ISAKMP: local port 500, remote port 500
000823: May  8 19:45:18.001 DST: ISAKMP: set new node 0 to QM_IDLE
000824: May  8 19:45:18.001 DST: ISAKMP:(0):insert sa successfully sa = 3112CC2C
000825: May  8 19:45:18.001 DST: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000826: May  8 19:45:18.001 DST: ISAKMP:(0):found peer pre-shared key matching 111.111.111.111
000827: May  8 19:45:18.001 DST: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000828: May  8 19:45:18.001 DST: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

000829: May  8 19:45:18.001 DST: ISAKMP:(0): beginning Main Mode exchange
000830: May  8 19:45:18.001 DST: ISAKMP:(0): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
000831: May  8 19:45:18.001 DST: ISAKMP:(0):Sending an IKE IPv4 Packet.
000832: May  8 19:45:18.021 DST: ISAKMP (0): received packet from 111.111.111.111 dport 500 sport 500 Global (I) MM_NO_STATE
000833: May  8 19:45:18.021 DST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000834: May  8 19:45:18.021 DST: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

000835: May  8 19:45:18.021 DST: ISAKMP:(0): processing SA payload. message ID = 0
000836: May  8 19:45:18.021 DST: ISAKMP:(0): processing vendor id payload
000837: May  8 19:45:18.021 DST: ISAKMP:(0): vendor ID is DPD
000838: May  8 19:45:18.021 DST: ISAKMP:(0):found peer pre-shared key matching 111.111.111.111
000839: May  8 19:45:18.021 DST: ISAKMP:(0): local preshared key found
000840: May  8 19:45:18.021 DST: ISAKMP : Scanning profiles for xauth ...
000841: May  8 19:45:18.021 DST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000842: May  8 19:45:18.021 DST: ISAKMP:      encryption 3DES-CBC
000843: May  8 19:45:18.021 DST: ISAKMP:      hash MD5
000844: May  8 19:45:18.021 DST: ISAKMP:      default group 2
000845: May  8 19:45:18.021 DST: ISAKMP:      auth pre-share
000846: May  8 19:45:18.021 DST: ISAKMP:      life type in seconds
000847: May  8 19:45:18.021 DST: ISAKMP:      life duration (basic) of 28800
000848: May  8 19:45:18.021 DST: ISAKMP:(0):atts are acceptable. Next payload is 0
000849: May  8 19:45:18.021 DST: ISAKMP:(0):Acceptable atts:actual life: 0
000850: May  8 19:45:18.021 DST: ISAKMP:(0):Acceptable atts:life: 0
000851: May  8 19:45:18.021 DST: ISAKMP:(0):Basic life_in_seconds:28800
000852: May  8 19:45:18.021 DST: ISAKMP:(0):Returning Actual lifetime: 28800
000853: May  8 19:45:18.021 DST: ISAKMP:(0)::Started lifetime timer: 28800.

000854: May  8 19:45:18.021 DST: ISAKMP:(0): processing vendor id payload
000855: May  8 19:45:18.021 DST: ISAKMP:(0): vendor ID is DPD
000856: May  8 19:45:18.021 DST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000857: May  8 19:45:18.021 DST: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

000858: May  8 19:45:18.021 DST: ISAKMP:(0): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) MM_SA_SETUP
000859: May  8 19:45:18.021 DST: ISAKMP:(0):Sending an IKE IPv4 Packet.
000860: May  8 19:45:18.021 DST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000861: May  8 19:45:18.021 DST: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

000862: May  8 19:45:18.041 DST: ISAKMP (0): received packet from 111.111.111.111 dport 500 sport 500 Global (I) MM_SA_SETUP
000863: May  8 19:45:18.041 DST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000864: May  8 19:45:18.041 DST: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

000865: May  8 19:45:18.041 DST: ISAKMP:(0): processing KE payload. message ID = 0
000866: May  8 19:45:18.041 DST: crypto_engine: Create DH shared secret
000867: May  8 19:45:18.065 DST: ISAKMP:(0): processing NONCE payload. message ID = 0
000868: May  8 19:45:18.065 DST: ISAKMP:(0):found peer pre-shared key matching 111.111.111.111
000869: May  8 19:45:18.065 DST: crypto_engine: Create IKE SA
000870: May  8 19:45:18.065 DST: crypto engine: deleting DH phase 2 SW:11
000871: May  8 19:45:18.065 DST: crypto_engine: Delete DH shared secret
000872: May  8 19:45:18.065 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000873: May  8 19:45:18.065 DST: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4

000874: May  8 19:45:18.065 DST: ISAKMP:(1008):Send initial contact
000875: May  8 19:45:18.065 DST: ISAKMP:(1008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000876: May  8 19:45:18.065 DST: ISAKMP (1008): ID payload
        next-payload : 8
        type         : 1
        address      : 123.123.123.123
        protocol     : 17
        port         : 500
        length       : 12
000877: May  8 19:45:18.065 DST: ISAKMP:(1008):Total payload length: 12
000878: May  8 19:45:18.065 DST: crypto_engine: Generate IKE hash
000879: May  8 19:45:18.065 DST: crypto_engine: Encrypt IKE packet
000880: May  8 19:45:18.065 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000881: May  8 19:45:18.065 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000882: May  8 19:45:18.065 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000883: May  8 19:45:18.065 DST: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5

000884: May  8 19:45:18.085 DST: ISAKMP (1008): received packet from 111.111.111.111 dport 500 sport 500 Global (I) MM_KEY_EXCH
000885: May  8 19:45:18.085 DST: crypto_engine: Decrypt IKE packet
000886: May  8 19:45:18.085 DST: ISAKMP:(1008): processing ID payload. message ID = 0
000887: May  8 19:45:18.085 DST: ISAKMP (1008): ID payload
        next-payload : 8
        type         : 1
        address      : 111.111.111.111
        protocol     : 17
        port         : 500
        length       : 12
000888: May  8 19:45:18.085 DST: ISAKMP:(0):: peer matches *none* of the profiles
000889: May  8 19:45:18.085 DST: ISAKMP:(1008): processing HASH payload. message ID = 0
000890: May  8 19:45:18.085 DST: crypto_engine: Generate IKE hash
000891: May  8 19:45:18.085 DST: ISAKMP:(1008):SA authentication status:
        authenticated
000892: May  8 19:45:18.085 DST: ISAKMP:(1008):SA has been authenticated with 111.111.111.111
000893: May  8 19:45:18.085 DST: ISAKMP: Trying to insert a peer 123.123.123.123/111.111.111.111/500/,  and inserted successfully 2BB5AC0C.
000894: May  8 19:45:18.085 DST: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000895: May  8 19:45:18.085 DST: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6

000896: May  8 19:45:18.085 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000897: May  8 19:45:18.085 DST: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6

000898: May  8 19:45:18.085 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000899: May  8 19:45:18.085 DST: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

000900: May  8 19:45:18.085 DST: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of 3105662176
000901: May  8 19:45:18.085 DST: ISAKMP:(1008):QM Initiator gets spi
000902: May  8 19:45:18.085 DST: crypto_engine: Generate IKE hash
000903: May  8 19:45:18.085 DST: crypto_engine: Encrypt IKE packet
000904: May  8 19:45:18.085 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000905: May  8 19:45:18.085 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000906: May  8 19:45:18.085 DST: ISAKMP:(1008):Node 3105662176, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000907: May  8 19:45:18.085 DST: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000908: May  8 19:45:18.085 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000909: May  8 19:45:18.085 DST: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
.....
Success rate is 0 percent (0/5)
2911#
000910: May  8 19:45:28.085 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -1189305120 ...
000911: May  8 19:45:28.085 DST: ISAKMP (1008): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
000912: May  8 19:45:28.085 DST: ISAKMP (1008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
000913: May  8 19:45:28.085 DST: ISAKMP:(1008): retransmitting phase 2 -1189305120 QM_IDLE
000914: May  8 19:45:28.085 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000915: May  8 19:45:28.085 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000916: May  8 19:45:38.086 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -1189305120 ...
000917: May  8 19:45:38.086 DST: ISAKMP (1008): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
000918: May  8 19:45:38.086 DST: ISAKMP (1008): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
000919: May  8 19:45:38.086 DST: ISAKMP:(1008): retransmitting phase 2 -1189305120 QM_IDLE
000920: May  8 19:45:38.086 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000921: May  8 19:45:38.086 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000922: May  8 19:45:48.002 DST: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 123.123.123.123:0, remote= 111.111.111.111:0,
    local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4)
000923: May  8 19:45:48.002 DST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 123.123.123.123:500, remote= 111.111.111.111:500,
    local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000924: May  8 19:45:48.002 DST: ISAKMP: set new node 0 to QM_IDLE
000925: May  8 19:45:48.002 DST: SA has outstanding requests  (local 99.99.99.99 port 500, remote 88.88.88.88 port 500)
000926: May  8 19:45:48.002 DST: ISAKMP:(1008): sitting IDLE. Starting QM immediately (QM_IDLE      )
000927: May  8 19:45:48.002 DST: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of 4197823401
000928: May  8 19:45:48.002 DST: ISAKMP:(1008):QM Initiator gets spi
000929: May  8 19:45:48.002 DST: crypto_engine: Generate IKE hash
000930: May  8 19:45:48.002 DST: crypto_engine: Encrypt IKE packet
000931: May  8 19:45:48.002 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000932: May  8 19:45:48.002 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000933: May  8 19:45:48.002 DST: ISAKMP:(1008):Node 4197823401, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000934: May  8 19:45:48.002 DST: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000935: May  8 19:45:48.086 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -1189305120 ...
000936: May  8 19:45:48.086 DST: ISAKMP (1008): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
000937: May  8 19:45:48.086 DST: ISAKMP (1008): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
000938: May  8 19:45:48.086 DST: ISAKMP:(1008): retransmitting phase 2 -1189305120 QM_IDLE
000939: May  8 19:45:48.086 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000940: May  8 19:45:48.086 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000941: May  8 19:45:58.002 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -97143895 ...
000942: May  8 19:45:58.002 DST: ISAKMP (1008): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
000943: May  8 19:45:58.002 DST: ISAKMP (1008): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
000944: May  8 19:45:58.002 DST: ISAKMP:(1008): retransmitting phase 2 -97143895 QM_IDLE
000945: May  8 19:45:58.002 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000946: May  8 19:45:58.002 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000947: May  8 19:45:58.086 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -1189305120 ...
000948: May  8 19:45:58.086 DST: ISAKMP (1008): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
000949: May  8 19:45:58.086 DST: ISAKMP (1008): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
000950: May  8 19:45:58.086 DST: ISAKMP:(1008): retransmitting phase 2 -1189305120 QM_IDLE
000951: May  8 19:45:58.086 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000952: May  8 19:45:58.086 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000953: May  8 19:46:08.002 DST: ISAKMP:(1008): retransmitting phase 2 QM_IDLE       -97143895 ...
000954: May  8 19:46:08.002 DST: ISAKMP:(1008):peer does not do paranoid keepalives.

000955: May  8 19:46:08.002 DST: ISAKMP:(1008):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 111.111.111.111)
000956: May  8 19:46:08.002 DST: ISAKMP: set new node -1855786422 to QM_IDLE
000957: May  8 19:46:08.002 DST: crypto_engine: Generate IKE hash
000958: May  8 19:46:08.002 DST: crypto_engine: Encrypt IKE packet
000959: May  8 19:46:08.002 DST: ISAKMP:(1008): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) QM_IDLE
000960: May  8 19:46:08.002 DST: ISAKMP:(1008):Sending an IKE IPv4 Packet.
000961: May  8 19:46:08.002 DST: ISAKMP:(1008):purging node -1855786422
000962: May  8 19:46:08.002 DST: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000963: May  8 19:46:08.002 DST: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

000964: May  8 19:46:08.002 DST: ISAKMP:(1008):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE       (peer 111.111.111.111)
000965: May  8 19:46:08.002 DST: ISAKMP: Unlocking peer struct 0x2BB5AC0C for isadb_mark_sa_deleted(), count 0
000966: May  8 19:46:08.002 DST: ISAKMP: Deleting peer node by peer_reap for 111.111.111.111: 2BB5AC0C
000967: May  8 19:46:08.002 DST: ISAKMP:(1008):deleting node -1189305120 error FALSE reason "IKE deleted"
000968: May  8 19:46:08.002 DST: ISAKMP:(1008):deleting node -97143895 error FALSE reason "IKE deleted"
000969: May  8 19:46:08.002 DST: crypto engine: deleting IKE SA SW:8
000970: May  8 19:46:08.002 DST: crypto_engine: Delete IKE SA
000971: May  8 19:46:08.002 DST: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000972: May  8 19:46:08.002 DST: ISAKMP:(1008):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

000973: May  8 19:46:08.002 DST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000974: May  8 19:46:18.002 DST: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 123.123.123.123:0, remote= 111.111.111.111:0,
    local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4)
000975: May  8 19:46:58.002 DST: ISAKMP:(1008):purging node -1189305120
000976: May  8 19:46:58.002 DST: ISAKMP:(1008):purging node -97143895
000977: May  8 19:47:08.002 DST: ISAKMP:(1008):purging SA., sa=3112CC2C, delme=3112CC2C

0 Helpful

David_Che
Level 1
Level 1
In response to ToddB9876

‎05-08-2014 08:29 PM

Hi,

I suspect MTU caused the problem.

Please check the path MTU size bidirectionally before setup IPsec tunnel.

ping 'peer wan address' -f -l xxxx to get the maximum MTU on both sides. then configure them same value if not same.

 

regards,

David

0 Helpful

ToddB9876
Level 1
Level 1
In response to David_Che

‎05-08-2014 09:39 PM

Wow - that would be wildly obscure if that turns out to be it!  So, doing the test I came up with 1472 as the max size before it errored.  Not sure offhand what to set on my end but I'll look into it.

0 Helpful

ToddB9876
Level 1
Level 1
In response to ToddB9876

‎05-08-2014 10:58 PM

Apparently not giving up was key... Though I wasted way more time on this than an experienced person would have, I feel like I've learned a lot about how VPN works and troubleshooting in the IOS environment.  Turns out these were the key items:

Fortigate:
Quickmode selector: Source IP - 192.168.100.38 (peer's server - only thing we need to access)

Cisco:
ip access-list extended VENDOR
 permit ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255

This was too broad.  I had to replace the last line with: 

 permit ip 192.168.200.0 0.0.0.255 192.168.200.38 0.0.0.0

 

This got it working - now it establishes quickly.  The best I can interpret this is that when initiated by the other end, the local/remote IP's were within my broad range and accepted whereas when I initiated it, I was trying for something outside the acceptable range so I was rejected. 

 

David - thx for the attempt - still much appreciated!

0 Helpful

Poonam Garg
Level 3
Level 3
In response to ToddB9876

‎05-08-2014 11:17 PM

Hi,

You are refering crypto ACL named VENDOR in crypto map for this peer 111.111.111.111 on you 2911 router, but the VENDOR acl does not match the interesting traffic. Instead of this acl

ip access-list extended VENDOR
 permit ip 192.168.190.0 0.0.0.255 192.168.10.0 0.0.0.255

you must write:

ip access-list extended VENDOR

 permit ip 192.168.200.0 0.0.0.255 host 192.168.100.38

 

Crypto acl are just mirror image of each other.

 

HTH

"Please rate helpful posts"

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents