Issues with Fortigate to ASA site to site IPSEC tunnel

Forum|Forum|8 years ago
November 20, 2017
1 reply
18474 views

We are trying to create an IPSEC tunnel and phase 1 is working just fine. After phase 1 is negotiated, it does not proceed to phase 2 negotiation. I have configured phase 2, so it should be negotiating it. I do not have access to the ASA on the customer side, but they assure me that they have it configured on their end as well.

The last line in a debug is:

no pending Quick-Mode negotiations

From what I have read, it almost sounds like there is no phase 2 configured? But there clearly is and it is right there on the UI. Any idea what this could be? Anyone know of anything on the customer (ASA) side that might be causing this?

TIA

Jim

emnoc

New Member

Qs: are you using quad 0s ) aka 0.0.0.0/0:0 or did you do it right and define src/dst-subnets

What the cfg ( FGT )

what the cfg ( ASA )

read this blog of mine on FGT-ASA, it was to a 9.1.x & using ike iKEv1, principle still applies for FGT<---2----> ASA

http://socpuppet.blogspot.com/2014/05/site-2-site-vpn-fortinet-fortigate-to.html

jimstumboAuthor

New Member

I am using the actual subnets in the configuration of phase 2. My side is a /24 and the other side is a single IP address (/32). I will check out your blog. I have around 60 vpn tunnels already, most to ASAs on the other side and I have never run into this problem before. Everything is configured just like I do all my tunnels, which kind of leads me to believe that there would be something on the other side. I am the initiator though. So I would think that at least it would try phase 2 negotiation and just come back and say something about not being able to find a proposal to agree on...

thanks

emnoc

New Member

You still need to review the settings. Many items keeps Ph2 down

PFS

proposals

proxy-id mismatches

etc..

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded