Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trying to create VPN between a Fortigate and Pix

Here is the Pix config:

sysopt connection permit-ipsec 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 85
crypto map outside_map 10 set peer 10.48.4.6
crypto map outside_map 10 set transform-set fortinet
crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 90
crypto map outside_map 20 set peer 10.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface EPORT
isakmp enable EPORT
isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

Here is the output of debug crypto on the Pix:

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,

    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,

    dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),

    src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

I'm having trouble understanding the debug message and what might be wrong in the settings.

1 REPLY
Cisco Employee

Trying to create VPN between a Fortigate and Pix

Jon,

Can you verify the cryto accees list on fortinet? I can see that you have configured crypto acees list as subnet. Fortinet should also be subnet and not range type

    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4)

type 4 is type subnet

let me know

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
864
Views
0
Helpful
1
Replies