1) your debug screenshot doesn"t match your description. You don't tell us, which side is initiatior - I suppose the fortigate
2) the crypto access-list on the router must permit the inside local addresses on the cisco site as a source and the inside local addresses of the fortigate site as a destination. Look up the documentation how to do that with a fortigate.
3) some things look strange to me:
Jun 16 07:21:28.132: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= cisco public IP, remote= fortigate public IP, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Jun 16 07:21:28.132: IPSEC(ipsec_process_proposal): proxy identities not supported Jun 16 07:21:28.132: ISAKMP:(2051): IPSec policy invalidated proposal with error 32 Jun 16 07:21:28.132: ISAKMP:(2051): phase 2 SA policy not acceptable!
1) Initiator is the fortigate by default because I config nothing to choose then initiator.
2) OK my problem seams to come from here. I tried with all all or with public interface.
3) In local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) I should have the local cisco network? remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), I should have the local fortigate network? protocol= ESP, transform= NONE (Tunnel), what should I have here?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...