06-16-2010 01:26 AM
Hi all!
I try to mount a tunnel between cisco 877 and fortigate 3000.
In my Cisco I have this error when I try to bring up the tunnel in the fortigate:
Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!
I find that comes from policy (ACL) error...
I put this in my Cisco:
access-list 101 permit ip host [cisco public IP] host [fortigate public IP]
I put this in my fortigate:
firewall -> policy:
[fortigate public IP] [cisco public IP] Action IPSEC VNP_Tunnel my_vpn
That doesn't work! Any suggestions?
In Fortigate docs I read that the the policy should be done between lan behind the fortigate (srce) and the private network behind the Cisco.
What do you think of this?
Thanls
06-16-2010 05:13 AM
1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate
2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.
3) some things look strange to me:
Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!
rgds,
mika
06-16-2010 09:19 AM
1) Initiator is the fortigate by default because I config nothing to choose then initiator.
2) OK my problem seams to come from here. I tried with all all or with public interface.
3) In local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network?
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network?
protocol= ESP, transform= NONE (Tunnel), what should I have here?
Thanks
Alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: