Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

getting error in phase 1 of vpn tunnel

i am trying to establish a vpn tunnel between cisco 3030 and fortigate firewall.

but in phase 1 itself it throws a debug error

8635,08/12/2010,11:44:10.900,SEV=8,IKEDBG/79,RPT=254,Proposal # 1  Transform # 1  Type ISAKMP  Id IKEParsing received transform:  Phase 1 failure against global IKE proposal # 1:  Mismatched attr types for class Auth Method:    Rcv'd: Preshared Key    Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

in fact what exactly it means and how we can resolve this issue..

Cisco Employee

Re: getting error in phase 1 of vpn tunnel

That means that there is no matching proposal (IKE/phase1) that matches between the Fortigate and the Cisco VPN Concentrator.

You would need to check out what has been configured for Fortigate (phase 1 proporsal) and match it on the VPN concentrator or vice versa.

New Member

Re: getting error in phase 1 of vpn tunnel

in concentrator configuration is:

connection type:bi-directional

peer:next peer ip

digital certificate: using pre shared key

certificate transmission: Identity certificate only

authentication :esp/sha/hmac-160


ike proposal:ike-3des-shafilter:none

bandwidth policy :none

routing n:none

local lan networklist:

remote lan network list:

and fortigate configuration is

authentication methodpreshared keyp1   proposalencyption3desauthentication   methodsha1dh   group2key   life86400xauthdisablemodemainpeer optionaccept any peerphase   2 cnfigarationencyption3desauthentication   methodsha1

key   life

both configuration is almost same..



Cisco Employee

Re: getting error in phase 1 of vpn tunnel

To check the exact IKE policy, please go to:

Configuration | Tunneling and Security | IPSec | IKE Proposals: then choose "IKE-3DES-SHA" and modify.

Please check if all the algorithm matches (including the group).

New Member

Re: getting error in phase 1 of vpn tunnel

in IKE proposal all algorithms matches..