06-05-2008 01:12 AM - edited 02-21-2020 03:45 PM
Hi All,
I'm having problems with our VPN between a Cisco 2801 and a Fortigate. Basically we (2801) can't bring the tunnel up when we try to initiate a connection. We see send errors increase (and no traffic be encrypted or decrypted), and the following message is logged:
*Jun 5 09:14:55.715: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in notify message from x.x.x.x
We believe this is related to dead peer protection, which is not support on the 2800 series, so the engineer deactivated DPD on the other end but there was no change.
2801#sh crypto ipsec sa peer x.x.x.x
interface: FastEthernet0/1
Crypto map tag: rtp, local addr y.y.y.y
protected vrf: (none)
local ident (addr/mask/prot/port): (10.3.30.40/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 133542, #pkts encrypt: 133542, #pkts digest: 133542
#pkts decaps: 248476, #pkts decrypt: 248476, #pkts verify: 248476
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 79, #recv errors 0
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
2801#sh crypto isakmp sa
dst src state conn-id slot status
x.x.x.x y.y.y.y MM_NO_STATE 1 0 ACTIVE (deleted)
Interesting traffic being matched:
Extended IP access list 103
10 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255 (382097 matches)
Here's the config our side:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key aaa address x.x.x.x
crypto ipsec transform-set rtpset3dessha esp-3des esp-sha-hmac
crypto map rtp 5 ipsec-isakmp
description ### AG
set peer x.x.x.x
set security-association lifetime seconds 1800
set transform-set rtpset3dessha
match address 103
access-list 103 remark AG interesting traffic
access-list 103 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255
ip nat inside source route-map nonat interface FastEthernet0/1 overload
access-list 101 deny ip 10.3.0.0 0.0.255.255 10.10.10.0 0.0.0.255
route-map nonat permit 10
match ip address 101
Does anyone have any idea where I'm going wrong??? Any help would be much appreciated.
Many thanks,
J
Also forgot to mention that when the tunnel is initiated from their end we can route traffic normally and access servers their end.
06-05-2008 05:39 AM
For anyone interested, this was fixed by a DH group mismatch on phase 2
06-05-2008 06:18 AM
Thank you for sharing the solution with everybody :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide