Skip to main content
A
Anonymous_User
Contributor
February 23, 2010
Question

IPSEC VPN with Cisco ASA

  • February 23, 2010
  • 7 replies
  • 5489 views
I’m trying to set up a VPN with a Cisco ASA, i’m using the following phase2 settings: Destination address : 172.29.80.4 Destination port : 80 Protocol: 6 The Fortigate' s logging: 1:Intralot:37493080: initiate an SA with selectors: 192.168.3.0/255.255.255.0->172.29.80.4, ports=0/20480, protocol=6/6 1:Intralot: phase1 found 1:Intralot:37493081: received payloads HASH Notif 1:Intralot:37493081: received protected info 1:Intralot:37493081: protocol_id=3, notify_msg=14 (NO_PROPOSAL_CHOSEN), ispi_size=16 1:Intralot:37493081: spi=31b76a76aac42d0a99fcb41509f3ca22 1:Intralot:37493081: Msg=a4 The ASA’s logging: Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 20480 Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, QM IsRekeyed old sa not found by addr Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, checking map = outside_map, seq = 1... Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:192.168.3.0 dst:172.29.80.4 They are expecting port 80 instead of 20480. What am I doing wrong here?

    7 replies

    rwpatterson
    rwpatterson
    New Member
    February 23, 2010
    Sounds like your phase 2 selectors (local & remote subnets) aren' t the same on each side.
    A
    Anonymous_UserAuthor
    Contributor
    February 23, 2010
    The other company also has a Fortigate, they tried the exact same configuration and it worked for them. They supplied me with screenshots of phase 1 and 2 and some logging of their ASA: Feb 22 12:23:58 [IKEv1]: Group = 195.97.26.99, IP = 195.97.26.99, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 80 In this case it does show the port as 80 instead of 20480
    rwpatterson
    rwpatterson
    New Member
    February 23, 2010
    Your network is different. The local subnet/group will be different for you. Did you change the config before installing it into your unit?
    A
    Anonymous_UserAuthor
    Contributor
    February 23, 2010
    yes, I made the necessary changes.
    rwpatterson
    rwpatterson
    New Member
    February 23, 2010
    The Fortigate' s logging: 1:Intralot:37493080: initiate an SA with selectors: 192.168.3.0/255.255.255.0->172.29.80.4, ports=0/20480, protocol=6/6 1:Intralot: phase1 found 1:Intralot:37493081: received payloads HASH Notif 1:Intralot:37493081: received protected info 1:Intralot:37493081: protocol_id=3, notify_msg=14 (NO_PROPOSAL_CHOSEN), ispi_size=16 1:Intralot:37493081: spi=31b76a76aac42d0a99fcb41509f3ca22 1:Intralot:37493081: Msg=a4 The ASA’s logging: Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 20480 Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, QM IsRekeyed old sa not found by addr Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, checking map = outside_map, seq = 1... Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:192.168.3.0 dst:172.29.80.4
    This is where I would start looking.... Seems to me both sides have 192.168.3.0 as the local subnet. That' s wrong. One side has to be reversed...
    A
    Anonymous_UserAuthor
    Contributor
    February 24, 2010
    I have gathered some more information, here' s a part of the Cisco ASA configuration: access-list mtel_cryptomap; 1 elements access-list mtel_cryptomap line 1 extended permit tcp object-group CallCenters_access eq www object-group MTEL_subs log informational interval 300 0x2c34e019 access-list mtel_cryptomap line 1 extended permit tcp host 172.29.80.4 eq www 192.168.3.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x085088d1 crypto map outside_map 2 match address mtel_cryptomap crypto map outside_map 2 set peer 82.175.129.3 crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 2 set security-association lifetime seconds 86400 The person i' m trying to resolve this issue with noted that when he changes the access-list to permit everything the tunnel does work. So i' m assuming it has something to do with the Fortigate trying port 20480 instead of port 80. Any thoughts?
    A
    Anonymous_UserAuthor
    Contributor
    February 24, 2010
    I have set up the same VPN on a different Fortigate (different model and firmware). The VPN gets up and I can connect to the host on port 80. 0:Intralot:115794:Intralot_PH2:1269641: initiator selectors 6 192.168.10.0/255.255.255.0:0->172.29.80.4:80
    rwpatterson
    rwpatterson
    New Member
    February 24, 2010
    Model is not so important. What are the firmware versions (working and not)?
    emnoc
    emnoc
    New Member
    February 24, 2010
    I never specify the port or protocol in the vpn setup, the firewall rule will handle this. But I would agreed that your left/right subnet are messed up.
    Terms & ConditionsAccessibility statement