cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
352
Views
0
Helpful
6
Replies
Highlighted
Beginner

VPN Phase 2 not negotiated

Hello all. I am having trouble to finish a VPN, although i´ve been reading a lot in other cases i was not able to find the solution. 

From my side i have a Cisco Router CISCO891-K9

License Information for 'c890'

Version 15.0(1)M8
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices

In the other side the client has a Fortinet Firewall, i am not aware of version and software.

My configuration is:

crypto isakmp policy 60
encr aes
authentication pre-share
group 14

!

crypto isakmp key xxxxxxxxxxxxxxxx address w.x.y.z

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

crypto map VPN_PRISMA_DC1_ 60 ipsec-isakmp
set peer w.x.y.z
set transform-set ESP-AES-SHA
set pfs group5
match address 170

!

access-list 170 permit ip 172.31.238.120 0.0.0.7 172.30.240.0 0.0.0.255

!

ip access-list extended nat-PRISMA
permit ip 172.31.238.120 0.0.0.7 172.30.240.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 172.30.240.0 0.0.0.255

!

route-map nat-PRISMA permit 10
match ip address nat-PRISMA

!

ip nat inside source static 192.168.100.35 172.31.238.121 route-map nat-PRISMA
ip nat inside source static 192.168.100.36 172.31.238.122 route-map nat-PRISMA

 

I already has other VPN configured as this one and working properly.

Phase 1 is ok without none problem. I am running this debus in the Router.

 

debug crypto ISAKMP

debug crypto ipsec

 

The result of the debug gives:

21906846: Nov 13 09:53:32.200 Buenos: ISAKMP (2015): received packet from w.x.y.z dport 500 sport 500 Global (R) QM_IDLE
21906847: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node 1944899763 to QM_IDLE
21906848: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing HASH payload. message ID = 1944899763
21906849: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): processing SA payload. message ID = 1944899763
21906850: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Checking IPSec proposal 1
21906851: Nov 13 09:53:32.200 Buenos: ISAKMP: transform 1, ESP_AES
21906852: Nov 13 09:53:32.200 Buenos: ISAKMP: attributes in transform:
21906853: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life type in seconds
21906854: Nov 13 09:53:32.200 Buenos: ISAKMP: SA life duration (basic) of 3600
21906855: Nov 13 09:53:32.200 Buenos: ISAKMP: encaps is 1 (Tunnel)
21906856: Nov 13 09:53:32.200 Buenos: ISAKMP: key length is 128
21906857: Nov 13 09:53:32.200 Buenos: ISAKMP: authenticator is HMAC-SHA
21906858: Nov 13 09:53:32.200 Buenos: ISAKMP: group is 5
21906859: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):atts are acceptable.
21906860: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1
21906861: Nov 13 09:53:32.200 Buenos: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= w.x.y.z,
local_proxy= 172.31.238.120/255.255.255.248/0/0 (type=4),
remote_proxy= 172.30.240.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
21906862: Nov 13 09:53:32.200 Buenos: IPSEC(ipsec_process_proposal): proxy identities not supported
21906863: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): IPSec policy invalidated proposal with error 32
21906864: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015): phase 2 SA policy not acceptable! (local x.x.x.x remote w.x.y.z)
21906865: Nov 13 09:53:32.200 Buenos: ISAKMP: set new node -1012143979 to QM_IDLE
21906866: Nov 13 09:53:32.200 Buenos: ISAKMP:(2015):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2243998240, message ID = -1012143979
21906867: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015): sending packet to w.x.y.z my_port 500 peer_port 500 (R) QM_IDLE
21906868: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Sending an IKE IPv4 Packet.
21906869: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):purging node -1012143979
21906870: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):deleting node 1944899763 error TRUE reason "QM rejected"
routerint#t
21906871: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Node 1944899763, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
21906872: Nov 13 09:53:32.204 Buenos: ISAKMP:(2015):Old State = IKE_QM_READY New State = IKE_QM_READY

 

What i found is that the problem is related to the intersting traffic, but we already checked from both sides and the networks are correctly configured.

 

Any help would be great!


Regards!

 

 

6 REPLIES 6
Highlighted
Rising star

for  forti have 
1-proxy selector value check this 
2- check if PFS is enable under phase 2

Highlighted

Hi there, 

1. i will ask to check this value, how should it be configured?.

2. Yes this was checkec in both sides.

 

Regards.-

Highlighted
VIP Mentor

Do you have other side configuration of Fortrinet to verify ?

 

or refer below exmaple :

 

https://weberblog.net/ipsec-site-to-site-vpn-fortigate-cisco-router/

https://forum.fortinet.com/tm.aspx?m=152156

https://kb.fortinet.com/kb/documentLink.do?externalID=10229

 



BB


*** Rate All Helpful Responses ***

Highlighted

Thanks for your reply, i already asked for the Forti Configuration, i don´t know if they are going to share ir with me.

The only thing i did not try is to open the tunnel trhough an interface Tunel. Whay can you say about that?.

 

Highlighted

config vpn ipsec phase1-interface

edit "XRP 2"

set type static

set interface "port2"

set ip-version 4

set ike-version 1

set local-gw 0.0.0.0

set keylife 86400

set authmethod psk

set mode main

set peertype any

set mode-cfg disable

set proposal aes128-sha1

set exchange-interface-ip disable

set localid ''

set localid-type auto

set negotiate-timeout 30

set fragmentation enable

set dpd on-demand

set forticlient-enforcement disable

set comments ''

set npu-offload enable

set dhgrp 14

set suite-b disable

set wizard-type custom

set xauthtype disable

set mesh-selector-type disable

set idle-timeout disable

set ha-sync-esp-seqno enable

set auto-discovery-sender disable

set auto-discovery-receiver disable

set auto-discovery-forwarder disable

set encapsulation none

set nattraversal enable

set remote-gw 64.76.23.59

set monitor ''

set add-gw-route disable

set psksecret ENC DKsMguC4uVzppD2BSRXXEan68St5AHylA4DRAQ/xWp10rwQ7D/dmTE otSgfc4tPAMCynhdf5/4qFS6wqhpzE0+ioDXMkzP+3PPqlJLq8Hi1cjxsj61yHqvGQvb97B2xQ3buyd3 rfzaF+Tcrvp5dJ/kgfzZOjqca7wlQGwaetMBQQFPzynPHI5/bV1tPsBA3Y+RPepA==

set keepalive 10

set auto-negotiate enable

set dpd-retrycount 3

set dpd-retryinterval 20

next

end

 

config vpn ipsec phase2-interface

edit "XRP 2"

set phase1name "XRP 2"

set proposal aes128-sha1

set pfs enable

set dhgrp 5

set replay enable

set auto-negotiate enable

set auto-discovery-sender phase1

set auto-discovery-forwarder phase1

set keylife-type seconds

set encapsulation tunnel-mode

set comments ''

set protocol 0

set src-addr-type subnet

set src-port 0

set dst-addr-type subnet

set dst-port 0

set keylifeseconds 3600

set src-subnet 172.30.240.0 255.255.255.0

set dst-subnet 172.31.238.120 255.255.255.248

next

end

Highlighted
Beginner

Have you seen this thread?

 

https://community.cisco.com/t5/security-documents/l2l-vpn-troubleshooting-quot-ipsec-policy-invalidated-proposal/ta-p/3115635


Possibly time to get packet captures on both ends? I’ve used the Fortigate firewalls and can confirm it should be easy enough for the Fortinet  admin to get a packet capture on their end? If you want to take a packet capture on your Cisco router, refer to the Packet Capture config generator link on the Cisco Tools. Lots of good stuff there.
https://www.cisco.com/c/en/us/support/web/tools-catalog.html

 

How about some of the fundamentals, such as IP routing / any inbound ACL’s permitting their source IP address on UDP 500/4500 if doing NAT-T? 

 

 

Content for Community-Ad