Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN RV 120W + Fortigate 100A Problem

I'm trying to set up a site-to-site vpn but after many different configuration changes I have concluded that it does not work.

I think the problem is related with a RV120W mal functioning or may be it cannot understand well with the Fortigate.

I have many other site-to-site vpn in this Fortigate with other firewalls and all of then work fine. But with the Cisco RV120W I can not achieve it.

I always have the same error inside the log.

In the Cisco RV120W

2011-11-06 22:31:58: [rv120w][IKE] INFO:  [rv120w][IKE] INFO:  accept a request to establish IKE-SA: REMOTE_WAN_IP
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Configuration found for REMOTE_WAN_IP.
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: LOCAL_WAN_IP[500]<=>REMOTE_WAN_IP[500]
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Beginning Identity Protection mode.
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9
2011-11-06 22:32:29: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0
2011-11-06 22:32:29: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
2011-11-06 22:32:58: [rv120w][IKE] ERROR:  Phase 1 negotiation failed due to time up for REMOTE_WAN_IP[500]. 548ab978ab367208:0000000000000000



In the Fortigate log:

1     2011-11-06     22:03:26     notice         negotiate     Responder: parsed (w.x.y.z) main mode message #1 (ERROR)

2     2011-11-06     22:03:26     error           negotiate     Negotiate SA Error: Peer's SA proposal does not match local policy.

I would appreciate any help.

Thanks a lot.

This is the main RV120W configuration I have trying.

RV 120W Version Firmware:           1.0.2.6

Fortigate 100A Version Firmware:    3.0 MR6

IKE Policy Table

Policy Name:                 PolicyName-1

Direction / Type:             Both  

Exchange Mode:            Main  

Local

Identifier Type:                FQDN

Identifier:                        xxx.domain.com 

Remote

Identifier Type:                Remote WAN (Internet) IP   

Identifier:                        -

IKE SA Parameters

Encryption Algorithm:      3DES

Auth. Algorithm:              SHA-1 

Authentication Method:    Pre-Shared Key   

Pre-Shared Key:              xxxxxxxxxxxxxx       

Diffie-Hellman Group:       Group2 (1024 bit) 

SA-Lifetime:                    28800 Seconds  

Dead Peer Detection:       Disabled 

Extended Authentication

XAUTH Type:                   None

VPN Policy Table

Policy Name:                   PolicyName-1

Policy Type:                     Auto Policy 

Remote Endpoint:             IP Address

                                       a.b.c.d

NETBIOS:                        Enabled  

Local Traffic Selection

Local IP:                          Subnet   

Start Address:                  192.168.16.0

Subnet Mask:                   255.255.255.0

Remote Traffic Selection

Remote IP:                       Subnet   

Start Address:                  192.168.0.0

Subnet Mask:                   255.255.255.0

Split DNS                         No

Auto Policy Parameters

SA-Lifetime:                      3600 Seconds

Encryption Algorithm:        3DES   

Integrity Algorithm:            SHA-1  

PFS Key Group:               Enable   

                                       DH-Group 2 (1024 bit) 

Select IKE Policy:             PolicyName-1

[rv120w][IKE] INFO:  accept a request to establish IKE-SA: 195.53.78.226
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Configuration found for 195.53.78.226.
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: 88.18.135.149[500]<=>195.53.78.226[500]
2011-11-06 22:31:58: [rv120w][IKE] INFO:  Beginning Identity Protection mode.
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9

6 REPLIES
Gold

Site to Site VPN RV 120W + Fortigate 100A Problem

Hi Victor,

Thank you for posting. Make sure that the IKE and VPN policy settings match exactly in both routers. You may also need to change the Exchange Mode to Aggressive instead of Main. Try experimenting with different Encryption Algorithms and Auth. Algorithms. I recently had some issues connecting an RV220W to a WRV210 and after I changed the Encryption Algorithm to AES-192 and the Auth. Algorithm to SHA-1 the tunnel connected and functioned properly.

New Member

Site to Site VPN RV 120W + Fortigate 100A Problem

I have tested every sigle combination between

- Encryption

- Authentication

- DH Group

matching the same configuration in the other site in agressive mode but I always have the same error.

Does "vendorid" involve a restricted interoperable list of  ipsec capable devices?

Thanks a lot.

Gold

Site to Site VPN RV 120W + Fortigate 100A Problem

Hi Victor,

I don't think that the devices are restricted from connecting to any other device from any other vendor but I have seen some customers that were unable to ever establish a connection between a Small Business router and a third party device. We cannot guarantee that the device will work reliably with a third party device but in most cases they connect fine.

New Member

Site to Site VPN RV 120W + Fortigate 100A Problem

Hi Victor,

Could you finally make it work? I´m trying with two identical 120W routers and I am having the same error.

Thanks,

Jaime

New Member

Site to Site VPN RV 120W + Fortigate 100A Problem

Hi,

No yet. I have to update the firmware version in the Fortinet and try again.

But until now, I have solved the problem using two identical 120W. It worked perfectly. I created a symmetrical configuration except for the right remote IP peers.

New Member

Re: Site to Site VPN RV 120W + Fortigate 100A Problem

Victor,

I've found this error could be caused by reachability issues. Double check if the devices are fully capable of reaching all needed destination ports. At this moment,  I still have issues with the pair of rv120. Few quick questions:

- the origin and destination addresses suggested for the software are inverted, aren't they?

- have you used main mode and made it work?

- I'm having a phase 1 issue related to hashing, any related experiences?

Thank you in advance,

Jaime

30337
Views
0
Helpful
6
Replies
CreatePlease login to create content