02-10-2012 11:37 AM
Here is the Pix config:
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 85
crypto map outside_map 10 set peer 10.48.4.6
crypto map outside_map 10 set transform-set fortinet
crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 90
crypto map outside_map 20 set peer 10.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface EPORT
isakmp enable EPORT
isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
Here is the output of debug crypto on the Pix:
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
I'm having trouble understanding the debug message and what might be wrong in the settings.
02-10-2012 06:11 PM
Jon,
Can you verify the cryto accees list on fortinet? I can see that you have configured crypto acees list as subnet. Fortinet should also be subnet and not range type
dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4)
type 4 is type subnet
let me know
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide