Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

john.dejesus · ‎02-09-2012

Hi,

I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates "All IPSec SA proposals found unacceptable!" Can someone give some light to solve this problem?

Varinder Singh · ‎02-09-2012

Hi John,

Can you take debugs of level 255 and paste the debugs right where it says all ipsec SA proposals found unacceptable?

You need to match crypto access list on both end. Can you verify the settings at Fortigate end for crypto access list? The range option in fortigate does not work with Cisco. Can you send the snap shot of both end phase 1 and 2 with crypto access list?

Thanks,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

john.dejesus · ‎02-09-2012

Here it is.

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing hash payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing SA payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing nonce payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload

Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.21.0.0--255.255.0.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received remote IP Proxy Subnet data in ID Payload: Address 10.21.0.0, Mask 255.255.0.0, Protocol 0, Port 0

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload

Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.177.177.0--255.255.255.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received local IP Proxy Subnet data in ID Payload: Address 10.177.177.0, Mask 255.255.255.0, Protocol 0, Port 0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, QM IsRekeyed old sa not found by addr

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 10...

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map VPN-MAP, seq = 20 is a successful match

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, IKE Remote Peer configured for crypto map: VPN-MAP

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing IPSec SA payload

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, All IPSec SA proposals found unacceptable!

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, sending notify message

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing blank hash payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing ipsec notify payload for msg id a0425c41

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing qm hash payload

Dec 02 20:51:18 [IKEv1]: IP = 210.24.168.8, IKE_DECODE SENDING Message (msgid=391c082f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Eugene Khabarov · ‎02-09-2012

I think the key phrase here is:

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0

Crypto ACL doesn't match on both sides.

HTH. Please rate if it was helpful.

john.dejesus · ‎02-09-2012

Crypto map sequence 10 is for a different group and I have different crypto maps. See details below.

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map VPN-MAP, seq = 20 is a successful match

Eugene Khabarov · ‎02-09-2012

Ok, you rigth. Looking forward...

john.dejesus · ‎02-09-2012

Would you know someone who has successfully establish a vpn between fortigate and cisco?

john.dejesus · ‎02-09-2012

new update.

2 IKE Peer: 210.24.168.8

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

but after a while it drops. Any info regarding this?

Varinder Singh · ‎02-09-2012

John,

Try to do following things

1. Can you disable the keepalives on both end ?

2. Is crypto access list on fortigate is subnet type and not network range? If it is range change it to subnet.

Let me know if it works

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

john.dejesus · ‎02-09-2012

Where do I disable the keepalives?

john.dejesus · ‎02-09-2012

i think the command is deprecated. i cannot issue the command in ASA.

Varinder Singh · ‎02-09-2012

Keepalives on ASA are disabled with follwoing command

tunnelgroup x.x.x.x ipsec attributes

isakmp keepalives disable

--It is required to be disabled on peer end as well.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users