Showing results for 
Search instead for 
Did you mean: 

VPN Phase 2 not negotiated

Hello all. I am having trouble to finish a VPN, although i´ve been reading a lot in other cases i was not able to find the solution. 

From my side i have a Cisco Router CISCO891-K9

License Information for 'c890'

Version 15.0(1)M8
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices

In the other side the client has a Fortinet Firewall, i am not aware of version and software.

My configuration is:

crypto isakmp policy 60
encr aes
authentication pre-share
group 14


crypto isakmp key xxxxxxxxxxxxxxxx address w.x.y.z


crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac


crypto map VPN_PRISMA_DC1_ 60 ipsec-isakmp
set peer w.x.y.z
set transform-set ESP-AES-SHA
set pfs group5
match address 170


access-list 170 permit ip


ip access-list extended nat-PRISMA
permit ip
permit ip


route-map nat-PRISMA permit 10
match ip address nat-PRISMA


ip nat inside source static route-map nat-PRISMA
ip nat inside source static route-map nat-PRISMA


I already has other VPN configured as this one and working properly.

Phase 1 is ok without none problem. I am running this debus in the Router.


debug crypto ISAKMP

debug crypto ipsec


The result of the debug gives:

21906846: Nov 13 09:53:32.200 Buenos: ISAKMP (2015): received packet from w.x.y.z dport 500 sport 500 Global (R) QM_IDLE
21906847: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node 1944899763 to QM_IDLE
21906848: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing HASH payload. message ID = 1944899763
21906849: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing SA payload. message ID = 1944899763
21906850: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Checking IPSec proposal 1
21906851: Nov 13 09:53:32.200 Buenos: ISAKMP: transform 1, ESP_AES
21906852: Nov 13 09:53:32.200 Buenos: ISAKMP: attributes in transform:
21906853: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life type in seconds
21906854: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life duration (basic) of 3600
21906855: Nov 13 09:53:32.200 Buenos: ISAKMP: encaps is 1 (Tunnel)
21906856: Nov 13 09:53:32.200 Buenos: ISAKMP: key length is 128
21906857: Nov 13 09:53:32.200 Buenos: ISAKMP: authenticator is HMAC-SHA
21906858: Nov 13 09:53:32.200 Buenos: ISAKMP: group is 5
21906859: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):atts are acceptable.
21906860: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1
21906861: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= w.x.y.z,
local_proxy= (type=4),
remote_proxy= (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
21906862: Nov 13 09:53:32.200 Buenos: IPSEC(ipsec_process_proposal): proxy identities not supported
21906863: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): IPSec policy invalidated proposal with error 32
21906864: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): phase 2 SA policy not acceptable! (local x.x.x.x remote w.x.y.z)
21906865: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node -1012143979 to QM_IDLE
21906866: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2243998240, message ID = -1012143979
21906867: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015): sending packet to w.x.y.z my_port 500 peer_port 500 (R) QM_IDLE
21906868: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Sending an IKE IPv4 Packet.
21906869: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):purging node -1012143979
21906870: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):deleting node 1944899763 error TRUE reason "QM rejected"
21906871: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Node 1944899763, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
21906872: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Old State = IKE_QM_READY New State = IKE_QM_READY


What i found is that the problem is related to the intersting traffic, but we already checked from both sides and the networks are correctly configured.


Any help would be great!




Rising star

for  forti have 
1-proxy selector value check this 
2- check if PFS is enable under phase 2


Hi there, 

1. i will ask to check this value, how should it be configured?.

2. Yes this was checkec in both sides.



VIP Mentor

Do you have other side configuration of Fortrinet to verify ?


or refer below exmaple :



*** Rate All Helpful Responses ***


Thanks for your reply, i already asked for the Forti Configuration, i don´t know if they are going to share ir with me.

The only thing i did not try is to open the tunnel trhough an interface Tunel. Whay can you say about that?.



config vpn ipsec phase1-interface

edit "XRP 2"

set type static

set interface "port2"

set ip-version 4

set ike-version 1

set local-gw

set keylife 86400

set authmethod psk

set mode main

set peertype any

set mode-cfg disable

set proposal aes128-sha1

set exchange-interface-ip disable

set localid ''

set localid-type auto

set negotiate-timeout 30

set fragmentation enable

set dpd on-demand

set forticlient-enforcement disable

set comments ''

set npu-offload enable

set dhgrp 14

set suite-b disable

set wizard-type custom

set xauthtype disable

set mesh-selector-type disable

set idle-timeout disable

set ha-sync-esp-seqno enable

set auto-discovery-sender disable

set auto-discovery-receiver disable

set auto-discovery-forwarder disable

set encapsulation none

set nattraversal enable

set remote-gw

set monitor ''

set add-gw-route disable

set psksecret ENC DKsMguC4uVzppD2BSRXXEan68St5AHylA4DRAQ/xWp10rwQ7D/dmTE otSgfc4tPAMCynhdf5/4qFS6wqhpzE0+ioDXMkzP+3PPqlJLq8Hi1cjxsj61yHqvGQvb97B2xQ3buyd3 rfzaF+Tcrvp5dJ/kgfzZOjqca7wlQGwaetMBQQFPzynPHI5/bV1tPsBA3Y+RPepA==

set keepalive 10

set auto-negotiate enable

set dpd-retrycount 3

set dpd-retryinterval 20




config vpn ipsec phase2-interface

edit "XRP 2"

set phase1name "XRP 2"

set proposal aes128-sha1

set pfs enable

set dhgrp 5

set replay enable

set auto-negotiate enable

set auto-discovery-sender phase1

set auto-discovery-forwarder phase1

set keylife-type seconds

set encapsulation tunnel-mode

set comments ''

set protocol 0

set src-addr-type subnet

set src-port 0

set dst-addr-type subnet

set dst-port 0

set keylifeseconds 3600

set src-subnet

set dst-subnet




Have you seen this thread?

Possibly time to get packet captures on both ends? I’ve used the Fortigate firewalls and can confirm it should be easy enough for the Fortinet  admin to get a packet capture on their end? If you want to take a packet capture on your Cisco router, refer to the Packet Capture config generator link on the Cisco Tools. Lots of good stuff there.


How about some of the fundamentals, such as IP routing / any inbound ACL’s permitting their source IP address on UDP 500/4500 if doing NAT-T? 



Content for Community-Ad