cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1086
Views
0
Helpful
2
Replies

VPN between cisco 877 fortigate 3000

Alex801415
Level 1
Level 1

Hi all!

I try to mount a tunnel between cisco 877 and fortigate 3000.

In my Cisco I have this error when I try to bring up the tunnel in the fortigate:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

I find that comes from policy (ACL) error...

I put this in my Cisco:

access-list 101 permit ip host [cisco public IP] host [fortigate public IP]

I put this in my fortigate:

firewall -> policy:

[fortigate public IP] [cisco public IP] Action IPSEC VNP_Tunnel my_vpn

That doesn't work! Any suggestions?

In Fortigate docs I read that the the policy should be done between lan behind the fortigate (srce) and the private network behind the Cisco.

What do you think of this?

Thanls

2 Replies 2

m.kafka
Level 4
Level 4

1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate



2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.

3) some things look strange to me:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

rgds,

mika

1) Initiator is the fortigate by default because I config nothing to choose then initiator.

2) OK my problem seams to come from here. I tried with all all or with public interface.

3) In  local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network?
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network?
    protocol= ESP, transform= NONE  (Tunnel), what should I have here?

Thanks

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: