Re: IS A CISCO ISR 3900 ROUTER ABLE TO FORM AN IKEV2 IPSEC SITE TO SITE VPN WITH A FORTIGATE FW ?

ChapweTelebwe10194 · ‎01-04-2021

Hello Everyone.

I have a question I am trying to establish an ikev2 IPSEC tunnel between a Cisco ISR 3900 and and Fortigate FW. Now with configs done the tunnel keeps failing to come up even at phase one because the cisco device is an unable to confirm the authentication method on the remote FortiGate which belongs to my ISP so I don't have access.

They advise everything is ok on there end but no joy from my side. All forums I keep coming across have all done ikev1 tunnels between Fortigate and Cisco Routers so am left wondering whether it can be done on Ikev2 as my ISP only want ikev2.

Below is the out put from my end and the configs.

Tunnel-id Local Remote fvrf/ivrf Status
2 X.X.X.X/500 X.X.X.X/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec

IPv6 Crypto IKEv2 SA

Phase one Configs on my Cisco ISR (Note that i have masked the IPs)

crypto ikev2 proposal abc
encryption aes-cbc-256
integrity sha256
group 14 5

crypto ikev2 policy IKEv2POLICY
match fvrf any
proposal abc

crypto ikev2 keyring cba
peer abc-cba
address x.x.x.x
identity address x.x.x.x
pre-shared-key local 12345
pre-shared-key remote 12345
!
E
crypto ikev2 profile abccba
match identity remote address x.x.x.x 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring cba
dpd 20 20 periodic
crypto ikev2 dpd 20 10 periodic

balaji.bandi · ‎01-05-2021

i have seen some time back DH14 having issue, try Lower DH 5 and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ChapweTelebwe10194 · ‎01-05-2021

I Have changed to Group 5 but still same issue.

Tunnel-id Local Remote fvrf/ivrf Status
2 192.168.10.145/500 10.23.223.2/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
CE id: 11792, Session-id: 0
Status Description: Initiator waiting for AUTH response
Local spi: D8ECBD7D5F087E60 Remote spi: 92847D790A5880EE
Local id: 192.168.10.145
Remote id:
Local req msg id: 1 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 1 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
NAT-T is not detected

IPv6 Crypto IKEv2 SA

balaji.bandi · ‎01-05-2021

Can you check both the side configuration, DH5 need to done both the side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎01-05-2021

Your router was the initiator and the output confirms that it is waiting for a response from the peer Status Description: Initiator waiting for AUTH response

I would check with the other end that the settings are correct, confirm the correct peer IP address is configured on your end and the remote end. Ensure that there is no firewall/ACL in the path not blocking the communication.

Turn on IKEv2 debugs when you attempt to establish a tunnel, provide the full output for review.

Does the router rely on NAT? As the local ID says is a private IP address. Check that udp/4500 is permitted on your end and the remote end.

FYI, I'd not recommend leaving on DH group 5, it's weak, less secure and has been depreciated in new versions.

marce1000 · ‎01-05-2021

- Also check if the user configured setup from this thread can provide some extra hints :

https://community.cisco.com/t5/routing/cisco-isr-with-site-to-site-vpn-tunnel-is-up-but-traffic-will/td-p/3719518

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '