Cisco ASA - Fortigate Site-To-Site IPSec VPN

Question

Hi,

We are trying to establish a site-to site VPN tunnel between a Cisco ASA 5550 Software Version 9.1(5) and a Fortigate device.

The tunnel comes up ok and shows as active :

6 IKE Peer: xxx.xxx.xxx.xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

But no traffic can cross the tunnel. We get the following message:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xF5BC3CE4, sequence number= 0x4) from xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) to yyy.yyy.yyy.yyy. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as zz.zz.zz.zz, its source as mm.mm.mm.mm, and its protocol as icmp. The SA specifies its local proxy as dd.dd.dd.dd/255.255.255.240/ip/0 and its remote_proxy as mm.mm.mm.mm/255.255.255.255/ip/0.

emnoc · Answer

How do you have the crypto map ACl defined? You need to use specific subnets values on the fortigate.

example ( phase2 proxy-ids )

set src-subnet 172.16.19.0/24 ( local subnet on the fortigate )

set dst-subnet 172.16.20.0/24 ( remote network on the cisco ASA )

Don't feel bad if you have multiple subnets, just draft multiple phase2-interface on the fortigate, the cisco uses the ACL so add the correct subnets that needs encryption

e.g

crypto map EXTERNAL_map0 10 match address ASA2FGTHQ crypto map EXTERNAL_map0 10 set peer 1.1.1.1 crypto map EXTERNAL_map0 10 set ikev1 transform-set ESP-AES-256-SHA crypto map EXTERNAL_map0 10 set reverse-route crypto map EXTERNAL_map0 interface EXTERNAL

access-list ASA2FGTHQ extended permit ip 10.20.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list ASA2FGTHQ extended permit ip 10.20.2.0 255.255.255.0 192.168.254.0 255.255.255.0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded