- Cisco Community
- Technology and Support
- Security
- VPN
- VPN Agressive mode - Router Cisco x Fortigate
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN Agressive mode - Router Cisco x Fortigate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2016 10:24 AM
Hi,
We are currently trying to establish a site to site VPN with a branch. The branch is using a Cisco router 2911. He sent us the configuration parameters which we configured, but the VPN tunnel is still not coming up. I think the phase 1 is ok, the problem is with phase2.
[Cisco Router] {Dynamic IP} ---------> (Internet) --------->{Static IP} [Fortigate Amazon]
+ Fortigate: HUB
+ Cisco Router: SPOKE
Fortigate Config
config vpn ipsec phase1-interface
edit "HUB"
set type dynamic
set interface "port1"
set dhgrp 2
set mode aggressive
set peertype one
set proposal aes256-sha1
set peerid "hub"
set psksecret ***
next
end
config vpn ipsec phase2-interface
edit "VPN"
set keepalive enable
set phase1name "HUB"
set proposal 3des-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config router static
edit 1
set device "HUB"
set dst 10.21.50.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf "HUB"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "port1"
set dstintf "HUB"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Router 2911 config
crypto keyring KEYR1
pre-shared-key address 1.1.1.1 key ***
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 5
crypto isakmp profile R2_ISAKMP_PROF
keyring KEYR1
self-identity user-fqdn hub
match identity address 1.1.1.1 255.255.255.255
initiate mode aggressive
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile R2_VTI
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile R2_ISAKMP_PROF
interface Tunnel3
no ip address
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile R2_VTI
!
ip route 172.0.1.0 255.255.255.0 Tunnel3
Logs Fortigate
ike 0:HUB: cached as dynamic 'hub'
ike 0: cache rebuild done
ike 0: IKEv1 Aggressive, comes 201.91.58.58:500->172.0.1.100 3, peer-id=hub
ike 0:f58d54ee1e06c362/0000000000000000:2638: negotiation result
ike 0:f58d54ee1e06c362/0000000000000000:2638: proposal id = 1:
ike 0:f58d54ee1e06c362/0000000000000000:2638: protocol id = ISAKMP:
ike 0:f58d54ee1e06c362/0000000000000000:2638: trans_id = KEY_IKE.
ike 0:f58d54ee1e06c362/0000000000000000:2638: encapsulation = IKE/none
ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f58d54ee1e06c362/0000000000000000:2638: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_GROUP, val=1024.
ike 0:f58d54ee1e06c362/0000000000000000:2638: ISAKMP SA lifetime=28800
ike 0:f58d54ee1e06c362/0000000000000000:2638: SA proposal chosen, matched gateway HUB
ike 0:HUB:2638: DPD negotiated
ike 0:HUB:2638: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 0:HUB:2638: selected NAT-T version: RFC 3947
ike 0:HUB:2638: cookie f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 key 32:19C76885A298F7401E37786E14A170A990858529EA282D4475EC73BD20BD33F9
ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86
ike 0:HUB:2638: sent IKE msg (agg_r1send): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86
ike 0:HUB:2638: sent IKE msg (P1_RETRANSMIT): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=f58d54ee1e06c362/6b13e0e54ab27d49 len=140
ike 0: in F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C637FE1155BA6DFDCC582F771715C7D9588AF4B6D0CE1DE97523351576A418A46E0ED65AC5E426DAFC1F9FDD84069A51BAF4DC3B70AF5A03A4DEEA11BCF872AEBF4C9B6ADB642C0AAB9C0EDE181467C496828DBD4F040E6F2D6F89E0A18136F08CACC89082F59A9CCBAE70F483E1D03E1
ike 0:HUB:2638: responder: aggressive mode get 2nd response...
ike 0:HUB:2638: dec F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C140000182C26EB5991002A24F17EF55CB9F5197796BC8F2B14000018F1977B1078CC25FD607CFA88C2181AD6CD3654780B000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50000001C0000000101106002F58D54EE1E06C3626B13E0E54AB27D49000000000000000000000000
ike 0:HUB:2638: received NAT-D payload type 20
ike 0:HUB:2638: received NAT-D payload type 20
ike 0:HUB:2638: received notify type 24578
ike 0:HUB:2638: PSK authentication succeeded
ike 0:HUB:2638: authentication OK
ike 0:HUB:2638: NAT detected: ME
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316
ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED
ike 0:HUB:2638: can not start the quick mode 00000000, waiting to establish ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB:2638: remote port change 500 -> 4500
ike 0:HUB:2638: established IKE SA f58d54ee1e06c362/6b13e0e54ab27d49
ike 0:HUB: adding new dynamic tunnel for 201.91.58.58:4500
ike 0:HUB_0: added new dynamic tunnel for 201.91.58.58:4500
ike 0:HUB_0:2638: processing INITIAL-CONTACT
ike 0:HUB_0: flushing
ike 0:HUB_0: flushed
ike 0:HUB_0:2638: processed INITIAL-CONTACT
ike 0:HUB_0:2638: no pending Quick-Mode negotiations
ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=1
ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 1
ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005015E5A6479000000540B0000188287A6048F4AF1657D56B33040E778BF7FBEF234000000200000000101108D28F58D54EE1E06C3626B13E0E54AB27D4900000001
ike 0:HUB_0:2638: out F58D54EE1E06C3626B13E0E54AB27D49081005015E5A64790000005C607AFA57FFD6F456BAB5BB621DD11556CA5249327606B989396148BB3E8BD25CA7713C0F2E7F0B136FABD5285D56C3BD925A2D71F49F4589F43B703D15581101
ike 0:HUB_0:2638: sent IKE msg (R-U-THERE): 172.0.1.100:4500->201.91.58.58:4500, len=92, id=f58d54ee1e06c362/6b13e0e54ab27d49:5e5a6479
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=f58d54ee1e06c362/6b13e0e54ab27d49:0ea3fd83 len=92
ike 0: in F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C26CE06723802F1D9FFFC24CF50230BEEB6EF01BC5FA0798437A0B8AD3C840039424E99BF9A15B36E9BFE71AF11DE05D0B8EE623578F65BF5E1156316351809EB
ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C0B00001887EA8771C873A6C9870C973B9D778E6B0A6D46A4000000200000000101108D29F58D54EE1E06C3626B13E0E54AB27D49000000010000000000000000
ike 0:HUB_0:2638: notify msg received: R-U-THERE-ACK
ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3....
ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316
ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED
ike 0:HUB_0:2638:2704: responder received first quick-mode message
ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C010000182C9DC576C496F47C219F5BBC359FC43B24BEFE250A000040000000010000000100000034010304015BBDE2740000002801030000800400038001000180020708800100020002000400465000800500028003000204000018651F2C23552FBCC9C9607C5B6BBB5178679DF42C050000845B44B28DACB93787F0A0B711E915932931991E8DD638B0D43875D87874FB1C54E0BBEE47B01E259B07224EFC36F1EEA1FD1E7FBB45836E4518E9122D1E84BC38E7AFEB077F06D1B1B3B6F2BE0FEF7DFFC13545DB63E584C31715F17980B7B40823CD92150D7115DE8BFDFC4CBC14194CBF1AF4122A8147ED2A5238808EEA0E6B0500001004000000000000000000000000000010040000000000000000000000000000000000000000000000
ike 0:HUB_0:2638:2704: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:HUB_0:2638:VPN:2704: trying
ike 0:HUB_0:2638:2704: wildcard is not an acceptable destination subnet
ike 0:HUB_0:2638:2704: no matching phase2 found
ike 0:HUB_0:2638:2704: failed to get responder proposal
ike 0:HUB_0:2638: error processing quick-mode message from 201.91.58.58 as responder
ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=2
ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 2
ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005014CB3D819000000540B00
Can you help me please?
Thanks
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2016 10:32 AM
There are a couple of things that we might look at as potential problems. But the biggest problem that I see is that the Fortigate appears to be configured to create a standard IPsec site to site VPN. But the router is configured to use Virtual Tunnel Interface. VTI is a newer implementation in Cisco IOS that will do IPsec over the configured tunnel. This is a very nice implementation as long as the other end is also doing VTI. But the Fortigate is not doing VTI. So my first suggestion is that the people who administer the router need to remove the VTI config and to replace it with the standard IPsec crypto map configuration.
HTH
Rick
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide