08-12-2010 04:12 AM
i am trying to establish a vpn tunnel between cisco 3030 and fortigate firewall.
but in phase 1 itself it throws a debug error
8635,08/12/2010,11:44:10.900,SEV=8,IKEDBG/79,RPT=254,Proposal # 1 Transform # 1 Type ISAKMP Id IKEParsing received transform: Phase 1 failure against global IKE proposal # 1: Mismatched attr types for class Auth Method: Rcv'd: Preshared Key Cfg'd: XAUTH with Preshared Key (Initiator authenticated)
in fact what exactly it means and how we can resolve this issue..
08-12-2010 04:37 AM
That means that there is no matching proposal (IKE/phase1) that matches between the Fortigate and the Cisco VPN Concentrator.
You would need to check out what has been configured for Fortigate (phase 1 proporsal) and match it on the VPN concentrator or vice versa.
08-12-2010 05:16 AM
in concentrator configuration is:
connection type:bi-directional
peer:next peer ip
digital certificate: using pre shared key
certificate transmission: Identity certificate only
authentication :esp/sha/hmac-160
encryption:3des-168
ike proposal:ike-3des-shafilter:none
bandwidth policy :none
routing n:none
local lan networklist:
remote lan network list:
and fortigate configuration is
authentication methodpreshared keyp1 proposalencyption3desauthentication methodsha1dh group2key life86400xauthdisablemodemainpeer optionaccept any peerphase 2 cnfigarationencyption3desauthentication methodsha1
key life
both configuration is almost same..
seconds28800
08-12-2010 05:26 AM
To check the exact IKE policy, please go to:
Configuration | Tunneling and Security | IPSec | IKE Proposals: then choose "IKE-3DES-SHA" and modify.
Please check if all the algorithm matches (including the group).
08-12-2010 06:29 AM
in IKE proposal all algorithms matches..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: