Site to Site VPN RV 120W + Fortigate 100A Problem

vlatorre.sirasa · ‎11-06-2011

I'm trying to set up a site-to-site vpn but after many different configuration changes I have concluded that it does not work.

I think the problem is related with a RV120W mal functioning or may be it cannot understand well with the Fortigate.

I have many other site-to-site vpn in this Fortigate with other firewalls and all of then work fine. But with the Cisco RV120W I can not achieve it.

I always have the same error inside the log.

In the Cisco RV120W

2011-11-06 22:31:58: [rv120w][IKE] INFO: [rv120w][IKE] INFO: accept a request to establish IKE-SA: REMOTE_WAN_IP
2011-11-06 22:31:58: [rv120w][IKE] INFO: Configuration found for REMOTE_WAN_IP.
2011-11-06 22:31:58: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: LOCAL_WAN_IP[500]<=>REMOTE_WAN_IP[500]
2011-11-06 22:31:58: [rv120w][IKE] INFO: Beginning Identity Protection mode.
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9
2011-11-06 22:32:29: [rv120w][IKE] ERROR: Invalid SA protocol type: 0
2011-11-06 22:32:29: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2011-11-06 22:32:58: [rv120w][IKE] ERROR: Phase 1 negotiation failed due to time up for REMOTE_WAN_IP[500]. 548ab978ab367208:0000000000000000

In the Fortigate log:

1 2011-11-06 22:03:26 notice negotiate Responder: parsed (w.x.y.z) main mode message #1 (ERROR)

2 2011-11-06 22:03:26 error negotiate Negotiate SA Error: Peer's SA proposal does not match local policy.

I would appreciate any help.

Thanks a lot.

This is the main RV120W configuration I have trying.

RV 120W Version Firmware: 1.0.2.6

Fortigate 100A Version Firmware: 3.0 MR6

IKE Policy Table

Policy Name: PolicyName-1

Direction / Type: Both

Exchange Mode: Main

Local

Identifier Type: FQDN

Identifier: xxx.domain.com

Remote

Identifier Type: Remote WAN (Internet) IP

Identifier: -

IKE SA Parameters

Encryption Algorithm: 3DES

Auth. Algorithm: SHA-1

Authentication Method: Pre-Shared Key

Pre-Shared Key: xxxxxxxxxxxxxx

Diffie-Hellman Group: Group2 (1024 bit)

SA-Lifetime: 28800 Seconds

Dead Peer Detection: Disabled

Extended Authentication

XAUTH Type: None

VPN Policy Table

Policy Name: PolicyName-1

Policy Type: Auto Policy

Remote Endpoint: IP Address

a.b.c.d

NETBIOS: Enabled

Local Traffic Selection

Local IP: Subnet

Start Address: 192.168.16.0

Subnet Mask: 255.255.255.0

Remote Traffic Selection

Remote IP: Subnet

Start Address: 192.168.0.0

Subnet Mask: 255.255.255.0

Split DNS No

Auto Policy Parameters

SA-Lifetime: 3600 Seconds

Encryption Algorithm: 3DES

Integrity Algorithm: SHA-1

PFS Key Group: Enable

DH-Group 2 (1024 bit)

Select IKE Policy: PolicyName-1

[rv120w][IKE] INFO: accept a request to establish IKE-SA: 195.53.78.226
2011-11-06 22:31:58: [rv120w][IKE] INFO: Configuration found for 195.53.78.226.
2011-11-06 22:31:58: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: 88.18.135.149[500]<=>195.53.78.226[500]
2011-11-06 22:31:58: [rv120w][IKE] INFO: Beginning Identity Protection mode.
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8
2011-11-06 22:31:58: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9

mpyhala · ‎11-07-2011

Hi Victor,

Thank you for posting. Make sure that the IKE and VPN policy settings match exactly in both routers. You may also need to change the Exchange Mode to Aggressive instead of Main. Try experimenting with different Encryption Algorithms and Auth. Algorithms. I recently had some issues connecting an RV220W to a WRV210 and after I changed the Encryption Algorithm to AES-192 and the Auth. Algorithm to SHA-1 the tunnel connected and functioned properly.

vlatorre.sirasa · ‎11-09-2011

I have tested every sigle combination between

- Encryption

- Authentication

- DH Group

matching the same configuration in the other site in agressive mode but I always have the same error.

Does "vendorid" involve a restricted interoperable list of ipsec capable devices?

Thanks a lot.

mpyhala · ‎11-09-2011

Hi Victor,

I don't think that the devices are restricted from connecting to any other device from any other vendor but I have seen some customers that were unable to ever establish a connection between a Small Business router and a third party device. We cannot guarantee that the device will work reliably with a third party device but in most cases they connect fine.

jaime.pedraza · ‎12-30-2011

Hi Victor,

Could you finally make it work? I´m trying with two identical 120W routers and I am having the same error.

Thanks,

Jaime

vlatorre.sirasa · ‎01-01-2012

Hi,

No yet. I have to update the firmware version in the Fortinet and try again.

But until now, I have solved the problem using two identical 120W. It worked perfectly. I created a symmetrical configuration except for the right remote IP peers.

jaime.pedraza · ‎01-01-2012

Victor,

I've found this error could be caused by reachability issues. Double check if the devices are fully capable of reaching all needed destination ports. At this moment, I still have issues with the pair of rv120. Few quick questions:

- the origin and destination addresses suggested for the software are inverted, aren't they?

- have you used main mode and made it work?

- I'm having a phase 1 issue related to hashing, any related experiences?

Thank you in advance,

Jaime