VPN between cisco 877 fortigate 3000

Unanswered Question
Jun 16th, 2010
User Badges:

Hi all!


I try to mount a tunnel between cisco 877 and fortigate 3000.

In my Cisco I have this error when I try to bring up the tunnel in the fortigate:


Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!


I find that comes from policy (ACL) error...

I put this in my Cisco:

access-list 101 permit ip host [cisco public IP] host [fortigate public IP]


I put this in my fortigate:

firewall -> policy:

[fortigate public IP] [cisco public IP] Action IPSEC VNP_Tunnel my_vpn


That doesn't work! Any suggestions?

In Fortigate docs I read that the the policy should be done between lan behind the fortigate (srce) and the private network behind the Cisco.

What do you think of this?

Thanls

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.kafka Wed, 06/16/2010 - 05:13
User Badges:
  • Bronze, 100 points or more

1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate



2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.


3) some things look strange to me:


Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!


rgds,


mika

Alex801415 Wed, 06/16/2010 - 09:19
User Badges:

1) Initiator is the fortigate by default because I config nothing to choose then initiator.


2) OK my problem seams to come from here. I tried with all all or with public interface.


3) In  local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network?
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network?
    protocol= ESP, transform= NONE  (Tunnel), what should I have here?


Thanks

Alex

Actions

This Discussion