Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between cisco 877 fortigate 3000

Hi all!

I try to mount a tunnel between cisco 877 and fortigate 3000.

In my Cisco I have this error when I try to bring up the tunnel in the fortigate:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

I find that comes from policy (ACL) error...

I put this in my Cisco:

access-list 101 permit ip host [cisco public IP] host [fortigate public IP]

I put this in my fortigate:

firewall -> policy:

[fortigate public IP] [cisco public IP] Action IPSEC VNP_Tunnel my_vpn

That doesn't work! Any suggestions?

In Fortigate docs I read that the the policy should be done between lan behind the fortigate (srce) and the private network behind the Cisco.

What do you think of this?

Thanls

2 REPLIES
Bronze

Re: VPN between cisco 877 fortigate 3000

1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate



2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.

3) some things look strange to me:

Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32
Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!

rgds,

mika

New Member

Re: VPN between cisco 877 fortigate 3000

1) Initiator is the fortigate by default because I config nothing to choose then initiator.

2) OK my problem seams to come from here. I tried with all all or with public interface.

3) In  local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network?
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network?
    protocol= ESP, transform= NONE  (Tunnel), what should I have here?

Thanks

Alex

835
Views
0
Helpful
2
Replies