11-13-2020 05:13 AM
Hello all. I am having trouble to finish a VPN, although i´ve been reading a lot in other cases i was not able to find the solution.
From my side i have a Cisco Router CISCO891-K9
License Information for 'c890'
Version 15.0(1)M8
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
In the other side the client has a Fortinet Firewall, i am not aware of version and software.
My configuration is:
crypto isakmp policy 60
encr aes
authentication pre-share
group 14
!
crypto isakmp key xxxxxxxxxxxxxxxx address w.x.y.z
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN_PRISMA_DC1_ 60 ipsec-isakmp
set peer w.x.y.z
set transform-set ESP-AES-SHA
set pfs group5
match address 170
!
access-list 170 permit ip 172.31.238.120 0.0.0.7 172.30.240.0 0.0.0.255
!
ip access-list extended nat-PRISMA
permit ip 172.31.238.120 0.0.0.7 172.30.240.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 172.30.240.0 0.0.0.255
!
route-map nat-PRISMA permit 10
match ip address nat-PRISMA
!
ip nat inside source static 192.168.100.35 172.31.238.121 route-map nat-PRISMA
ip nat inside source static 192.168.100.36 172.31.238.122 route-map nat-PRISMA
I already has other VPN configured as this one and working properly.
Phase 1 is ok without none problem. I am running this debus in the Router.
debug crypto ISAKMP
debug crypto ipsec
The result of the debug gives:
21906846: Nov 13 09:53:32.200 Buenos: ISAKMP (2015): received packet from w.x.y.z dport 500 sport 500 Global (R) QM_IDLE
21906847: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node 1944899763 to QM_IDLE
21906848: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing HASH payload. message ID = 1944899763
21906849: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing SA payload. message ID = 1944899763
21906850: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Checking IPSec proposal 1
21906851: Nov 13 09:53:32.200 Buenos: ISAKMP: transform 1, ESP_AES
21906852: Nov 13 09:53:32.200 Buenos: ISAKMP: attributes in transform:
21906853: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life type in seconds
21906854: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life duration (basic) of 3600
21906855: Nov 13 09:53:32.200 Buenos: ISAKMP: encaps is 1 (Tunnel)
21906856: Nov 13 09:53:32.200 Buenos: ISAKMP: key length is 128
21906857: Nov 13 09:53:32.200 Buenos: ISAKMP: authenticator is HMAC-SHA
21906858: Nov 13 09:53:32.200 Buenos: ISAKMP: group is 5
21906859: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):atts are acceptable.
21906860: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1
21906861: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= w.x.y.z,
local_proxy= 172.31.238.120/255.255.255.248/0/0 (type=4),
remote_proxy= 172.30.240.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
21906862: Nov 13 09:53:32.200 Buenos: IPSEC(ipsec_process_proposal): proxy identities not supported
21906863: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): IPSec policy invalidated proposal with error 32
21906864: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): phase 2 SA policy not acceptable! (local x.x.x.x remote w.x.y.z)
21906865: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node -1012143979 to QM_IDLE
21906866: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2243998240, message ID = -1012143979
21906867: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015): sending packet to w.x.y.z my_port 500 peer_port 500 (R) QM_IDLE
21906868: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Sending an IKE IPv4 Packet.
21906869: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):purging node -1012143979
21906870: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):deleting node 1944899763 error TRUE reason "QM rejected"
routerint#t
21906871: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Node 1944899763, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
21906872: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Old State = IKE_QM_READY New State = IKE_QM_READY
What i found is that the problem is related to the intersting traffic, but we already checked from both sides and the networks are correctly configured.
Any help would be great!
Regards!
11-13-2020 05:24 AM
for forti have
1-proxy selector value check this
2- check if PFS is enable under phase 2
11-13-2020 05:56 AM
Hi there,
1. i will ask to check this value, how should it be configured?.
2. Yes this was checkec in both sides.
Regards.-
11-13-2020 06:13 AM
Do you have other side configuration of Fortrinet to verify ?
or refer below exmaple :
https://weberblog.net/ipsec-site-to-site-vpn-fortigate-cisco-router/
https://forum.fortinet.com/tm.aspx?m=152156
https://kb.fortinet.com/kb/documentLink.do?externalID=10229
11-13-2020 06:28 AM
Thanks for your reply, i already asked for the Forti Configuration, i don´t know if they are going to share ir with me.
The only thing i did not try is to open the tunnel trhough an interface Tunel. Whay can you say about that?.
11-13-2020 03:57 PM
config vpn ipsec phase1-interface
edit "XRP 2"
set type static
set interface "port2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes128-sha1
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set remote-gw 64.76.23.59
set monitor ''
set add-gw-route disable
set psksecret ENC DKsMguC4uVzppD2BSRXXEan68St5AHylA4DRAQ/xWp10rwQ7D/dmTE otSgfc4tPAMCynhdf5/4qFS6wqhpzE0+ioDXMkzP+3PPqlJLq8Hi1cjxsj61yHqvGQvb97B2xQ3buyd3 rfzaF+Tcrvp5dJ/kgfzZOjqca7wlQGwaetMBQQFPzynPHI5/bV1tPsBA3Y+RPepA==
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
config vpn ipsec phase2-interface
edit "XRP 2"
set phase1name "XRP 2"
set proposal aes128-sha1
set pfs enable
set dhgrp 5
set replay enable
set auto-negotiate enable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 3600
set src-subnet 172.30.240.0 255.255.255.0
set dst-subnet 172.31.238.120 255.255.255.248
next
end
11-16-2020 12:08 PM - edited 11-16-2020 12:14 PM
Have you seen this thread?
Possibly time to get packet captures on both ends? I’ve used the Fortigate firewalls and can confirm it should be easy enough for the Fortinet admin to get a packet capture on their end? If you want to take a packet capture on your Cisco router, refer to the Packet Capture config generator link on the Cisco Tools. Lots of good stuff there.
https://www.cisco.com/c/en/us/support/web/tools-catalog.html
How about some of the fundamentals, such as IP routing / any inbound ACL’s permitting their source IP address on UDP 500/4500 if doing NAT-T?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide