08-12-2010 04:12 AM
i am trying to establish a vpn tunnel between cisco 3030 and fortigate firewall.
but in phase 1 itself it throws a debug error
8635,08/12/2010,11:44:10.900,SEV=8,IKEDBG/79,RPT=254,Proposal # 1 Transform # 1 Type ISAKMP Id IKEParsing received transform: Phase 1 failure against global IKE proposal # 1: Mismatched attr types for class Auth Method: Rcv'd: Preshared Key Cfg'd: XAUTH with Preshared Key (Initiator authenticated)
in fact what exactly it means and how we can resolve this issue..
08-12-2010 04:37 AM
That means that there is no matching proposal (IKE/phase1) that matches between the Fortigate and the Cisco VPN Concentrator.
You would need to check out what has been configured for Fortigate (phase 1 proporsal) and match it on the VPN concentrator or vice versa.
08-12-2010 05:16 AM
in concentrator configuration is:
connection type:bi-directional
peer:next peer ip
digital certificate: using pre shared key
certificate transmission: Identity certificate only
authentication :esp/sha/hmac-160
encryption:3des-168
ike proposal:ike-3des-shafilter:none
bandwidth policy :none
routing n:none
local lan networklist:
remote lan network list:
and fortigate configuration is
authentication methodpreshared keyp1 proposalencyption3desauthentication methodsha1dh group2key life86400xauthdisablemodemainpeer optionaccept any peerphase 2 cnfigarationencyption3desauthentication methodsha1
key life
both configuration is almost same..
seconds28800
08-12-2010 05:26 AM
To check the exact IKE policy, please go to:
Configuration | Tunneling and Security | IPSec | IKE Proposals: then choose "IKE-3DES-SHA" and modify.
Please check if all the algorithm matches (including the group).
08-12-2010 06:29 AM
in IKE proposal all algorithms matches..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide