getting error in phase 1 of vpn tunnel

prasanthlal · ‎08-12-2010

i am trying to establish a vpn tunnel between cisco 3030 and fortigate firewall.

but in phase 1 itself it throws a debug error

8635,08/12/2010,11:44:10.900,SEV=8,IKEDBG/79,RPT=254,Proposal # 1 Transform # 1 Type ISAKMP Id IKEParsing received transform: Phase 1 failure against global IKE proposal # 1: Mismatched attr types for class Auth Method: Rcv'd: Preshared Key Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

in fact what exactly it means and how we can resolve this issue..

Jennifer Halim · ‎08-12-2010

That means that there is no matching proposal (IKE/phase1) that matches between the Fortigate and the Cisco VPN Concentrator.

You would need to check out what has been configured for Fortigate (phase 1 proporsal) and match it on the VPN concentrator or vice versa.

prasanthlal · ‎08-12-2010

in concentrator configuration is:

connection type:bi-directional

peer:next peer ip

digital certificate: using pre shared key

certificate transmission: Identity certificate only

authentication :esp/sha/hmac-160

encryption:3des-168

ike proposal:ike-3des-shafilter:none

bandwidth policy :none

routing n:none

local lan networklist:

remote lan network list:

and fortigate configuration is

authentication methodpreshared keyp1 proposalencyption3desauthentication methodsha1dh group2key life86400xauthdisablemodemainpeer optionaccept any peerphase 2 cnfigarationencyption3desauthentication methodsha1

key life

both configuration is almost same..

seconds

28800

Jennifer Halim · ‎08-12-2010

To check the exact IKE policy, please go to:

Configuration | Tunneling and Security | IPSec | IKE Proposals: then choose "IKE-3DES-SHA" and modify.

Please check if all the algorithm matches (including the group).

prasanthlal · ‎08-12-2010

in IKE proposal all algorithms matches..