getting error in phase 1 of vpn tunnel

Unanswered Question
Aug 12th, 2010
User Badges:

i am trying to establish a vpn tunnel between cisco 3030 and fortigate firewall.

but in phase 1 itself it throws a debug error

8635,08/12/2010,11:44:10.900,SEV=8,IKEDBG/79,RPT=254,Proposal # 1  Transform # 1  Type ISAKMP  Id IKEParsing received transform:  Phase 1 failure against global IKE proposal # 1:  Mismatched attr types for class Auth Method:    Rcv'd: Preshared Key    Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

in fact what exactly it means and how we can resolve this issue..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 08/12/2010 - 04:37
User Badges:
  • Cisco Employee,

That means that there is no matching proposal (IKE/phase1) that matches between the Fortigate and the Cisco VPN Concentrator.

You would need to check out what has been configured for Fortigate (phase 1 proporsal) and match it on the VPN concentrator or vice versa.

prasanthlal Thu, 08/12/2010 - 05:16
User Badges:

in concentrator configuration is:

connection type:bi-directional

peer:next peer ip

digital certificate: using pre shared key

certificate transmission: Identity certificate only

authentication :esp/sha/hmac-160


ike proposal:ike-3des-shafilter:none

bandwidth policy :none

routing n:none

local lan networklist:

remote lan network list:

and fortigate configuration is

authentication methodpreshared keyp1   proposalencyption3desauthentication   methodsha1dh   group2key   life86400xauthdisablemodemainpeer optionaccept any peerphase   2 cnfigarationencyption3desauthentication   methodsha1

key   life

both configuration is almost same..



Jennifer Halim Thu, 08/12/2010 - 05:26
User Badges:
  • Cisco Employee,

To check the exact IKE policy, please go to:

Configuration | Tunneling and Security | IPSec | IKE Proposals: then choose "IKE-3DES-SHA" and modify.

Please check if all the algorithm matches (including the group).


This Discussion