Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
1
Replies

Trying to create VPN between a Fortigate and Pix

jonnythan
Level 1
Level 1

‎02-10-2012 11:37 AM

Here is the Pix config:

sysopt connection permit-ipsec 
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 crypto ipsec transform-set fortinet esp-3des esp-sha-hmac 
 crypto map outside_map 10 ipsec-isakmp 
 crypto map outside_map 10 match address 85 
 crypto map outside_map 10 set peer 10.48.4.6
 crypto map outside_map 10 set transform-set fortinet 
 crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000 
 crypto map outside_map 20 ipsec-isakmp 
 crypto map outside_map 20 match address 90 
 crypto map outside_map 20 set peer 10.x.x.x 
 crypto map outside_map 20 set transform-set ESP-3DES-SHA 
 crypto map outside_map interface EPORT 
 isakmp enable EPORT 
 isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode 
 isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode 
 isakmp identity address 
 isakmp policy 10 authentication pre-share 
 isakmp policy 10 encryption 3des 
 isakmp policy 10 hash sha 
 isakmp policy 10 group 2 
 isakmp policy 10 lifetime 86400 
 isakmp policy 20 authentication pre-share 
 isakmp policy 20 encryption 3des 
 isakmp policy 20 hash sha 
 isakmp policy 20 group 2 
 isakmp policy 20 lifetime 28800

Here is the output of debug crypto on the Pix:

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,

    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,

    dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),

    src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

I'm having trouble understanding the debug message and what might be wrong in the settings.

Labels:
0 Helpful
1 Reply 1

Varinder Singh
Cisco Employee
Cisco Employee

‎02-10-2012 06:11 PM

Jon,

Can you verify the cryto accees list on fortinet? I can see that you have configured crypto acees list as subnet. Fortinet should also be subnet and not range type

    dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

    src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4)

type 4 is type subnet

let me know

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful
Customers Also Viewed These Support Documents