Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
2
Replies

VPN between cisco 877 fortigate 3000

Alex801415
Level 1
Level 1

‎06-16-2010 01:26 AM

Hi all!

I try to mount a tunnel between cisco 877 and fortigate 3000.

In my Cisco I have this error when I try to bring up the tunnel in the fortigate:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

I find that comes from policy (ACL) error...

I put this in my Cisco:

access-list 101 permit ip host [cisco public IP] host [fortigate public IP]

I put this in my fortigate:

firewall -> policy:

[fortigate public IP] [cisco public IP] Action IPSEC VNP_Tunnel my_vpn

That doesn't work! Any suggestions?

In Fortigate docs I read that the the policy should be done between lan behind the fortigate (srce) and the private network behind the Cisco.

What do you think of this?

Thanls

Labels:
0 Helpful
2 Replies 2

m.kafka
Level 4
Level 4

‎06-16-2010 05:13 AM

1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate



2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.

3) some things look strange to me:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

rgds,

mika

0 Helpful

Alex801415
Level 1
Level 1
In response to m.kafka

‎06-16-2010 09:19 AM

1) Initiator is the fortigate by default because I config nothing to choose then initiator.

2) OK my problem seams to come from here. I tried with all all or with public interface.

3) In  local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network?
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network?
    protocol= ESP, transform= NONE  (Tunnel), what should I have here?

Thanks

Alex

0 Helpful
Customers Also Viewed These Support Documents