Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum this November to earn your exclusive 2nd Birthday Badge! Become a member today.
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cisco VPN with fortinet 200B
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco VPN with fortinet 200B
Hi,
I am trying to setup a cisco vpn client version 5 to communciate with my fortinet 200B. But i get this error "
negotiation failure
ike Negotiate SA Error: ike ike [1074]
ike 0:ciscovpn:15: no SA proposal chosen no SA proposal chosen"
my phase 1 setup is 3DES-SHA1, group 5, xauth " enable as server"
my phase 2 setup is 3DES-SHA1, group 2, enable replay, enable pfs.
dialup clients are using 192.168.254.1-100 with subnet mask 255.255.255.0
internal lan is 192.168.10x.x with subnet mask 255.255.252.0
public ip of firewall is 202.x.x.x and able to ping and access https from internet to the public ip of firewall
Luke Low
22 REPLIES 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good luck with that, let us know if you can get it working, but what I can tell, cisco vpnclient is proprietary to cisco devices. Shrew Net on the other hand works with no problems.
Also are you 100% sure pfs should be enable for re-negoitation of ph2 SA?
If this would help, here' s how a ASA dynamic-client config looks on my ASA.
crypto dynamic-map remoteaccess 10 set transform-set ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map remoteaccess 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map remoteaccess 21 set transform-set l2tp-windows-aes128 l2tp-windows-aes192
crypto dynamic-map remoteaccess 22 set transform-set l2tp-windows-aes192
crypto dynamic-map remoteaccess 23 set transform-set l2tp-windows-aes256
crypto map outside_map0 10 set trustpoint fwf50f
crypto map outside_map0 65535 ipsec-isakmp dynamic remoteaccess
crypto map outside_map0 interface outside
If you have any detailed logs from the ciscovpnclient client connection, post them as well.
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try phase1 without XAuth first, just PSK. If that works, proceed.
You haven' t specified ph2 PFS setting.
I would be careful with the ASA example as it allows AES-256. This seems to be broken in one of the latest FortiOS versions (search the forum for it please).
Do you know that the FortiClient IPSec VPN thingy is available for free? Might be a simpler alternative. That is, if you don' t already have 5.000 installs out there...
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason to use cisco vpn is to have a common client platform for both windows & Mac machines.
In any case, I was following what was written in the fortinet technical note on the setup.
Below is the diag debug log in had on my 200B. I am using 4.0 MR1 patch 4 build 5029. the client machine IP is 27.54.21.170.
ike 0:ciscovpn: new connection.
ike 0:ciscovpn: check for IP assignment method ...
ike 0:ciscovpn: no IP assignment method defined
ike 0:ciscovpn:15: responder: aggressive mode get 1st message...
ike 0:ciscovpn:15: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:ciscovpn:15: XAUTHv6 negotiated
ike 0:ciscovpn:15: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ciscovpn:15: DPD negotiated
ike 0:ciscovpn:15: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:ciscovpn:15: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:ciscovpn:15: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:ciscovpn:15: UNITY support enabled
ike 0:ciscovpn:15: incoming proposal:
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: proposal id = 0:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1024.
ike 0:ciscike 0:ciscovpn:15: ISKAMP SA lifetime=2147483
ike 0:ciscovpn:15: my proposal:
ike 0:ciscovpn:15: proposal id = 1:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1536.
ike 0:ciscovpn:15: ISKAMP SA lifetime=28800
ike 0:ciscovpn:15: proposal id = 1:
ike 0:ciscovpn:15: protocol id = ISAKMP:
ike 0:ciscovpn:15: trans_id = KEY_IKE.
ike 0:ciscovpn:15: encapsulation = IKE/none
ike 0:ciscovpn:15: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:ciscovpn:15: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:15: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:15: type=OAKLEY_GROUP, val=1536.
ike 0:ciscovpn:15: ISKAMP SA lifetime=28800
ike 0:ciscovpn:15: negotiation failure
ike Negotiate SA Error: ike ike [1074]
ike 0:ciscovpn:15: no SA proposal chosen
ike 0:ciscovpn: responder error processing 1st msg from 27.54.21.170
ike 0:ciscovpn: connection expiring due to phase1 down
ike 0:ciscovpn: deleting
ike 0:ciscovpn: flushing
ike 0:ciscovpn: sending SNMP tunnel DOWN trap
ike 0:ciscovpn: flushed
ike 0:ciscovpn: deleted
Luke Low
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
IMHO the PFS settings don' t match. The client offers 1024 bits (dhgroup=2), the FG offers 1536 bits (dhgroup=5). So they cannot agree.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I set both dhgroup to 2 and below is the log entries:
the client ip address is 113.10.105.239
ke 0: comes 113.10.105.239:2524->202.x.x.x:500,ifindex=13....
ike 0: IKEv1 exchange=Aggressive id=fc258a8dd5cdae4d/0000000000000000 len=853
ike 0:ciscovpn: new connection.
ike 0:ciscovpn: check for IP assignment method ...
ike 0:ciscovpn: no IP assignment method defined
ike 0:ciscovpn:42: responder: aggressive mode get 1st message...
ike 0:ciscovpn:42: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:ciscovpn:42: XAUTHv6 negotiated
ike 0:ciscovpn:42: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ciscovpn:42: DPD negotiated
ike 0:ciscovpn:42: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:ciscovpn:42: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:ciscovpn:42: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:ciscovpn:42: UNITY support enabled
ike 0:ciscovpn:42: negotiation result
ike 0:ciscovpn:42: proposal id = 1:
ike 0:ciscovpn:42: protocol id = ISAKMP:
ike 0:ciscovpn:42: trans_id = KEY_IKE.
ike 0:ciscovpn:42: encapsulation = IKE/none
ike 0:ciscovpn:42: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:ciscovpn:42: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ciscovpn:42: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:ciscovpn:42: type=OAKLEY_GROUP, val=1024.
ike 0:ciscovpn:42: ISKAMP SA lifetime=28800
ike 0:ciscovpn:42: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n
ike 0:ciscovpn:42: put connection to natt list...ip=113.10.105.239.
ike 0:ciscovpn:42: cookie fc258a8dd5cdae4d/48fa5870ba461729
ike 0:ciscovpn:42: sent IKE msg (agg_r1send): 202.x.x.x:500->113.10.105.239:2524, len=392
ike 0:ciscovpn:42: sent IKE msg (P1_RETRANSMIT): 202.x.x.x:500->113.10.105.239:2524, len=392
ike 0: comes 113.10.105.239:2524->202.x.x.x:500,ifindex=13....
ike 0: IKEv1 exchange=Informational id=fc258a8dd5cdae4d/48fa5870ba461729 len=56
ike 0:ciscovpn: Incoming 113.10.105.239, my:113.10.105.239.
ike 0:ciscovpn: got conn from natt list, 202.x.x.x->113.10.105.239:2524.
ike 0:ciscovpn:42: ignoring unsupported INFORMATIONAL message 0.
ike 0: comes 113.10.105.239:2524->202.x.x.x:500,ifindex=13....
ike 0: IKEv1 exchange=Informational id=fc258a8dd5cdae4d/48fa5870ba461729 len=56
ike 0: found ciscovpn 202.x.x.x 13 -> 113.10.105.239:2524
ike 0:ciscovpn:42: ignoring unsupported INFORMATIONAL message 0.
ike 0:ciscovpn:42: sent IKE msg (P1_RETRANSMIT): 202.x.x.x:500->113.10.105.239:2524, len=392
ike 0:ciscovpn:42: sent IKE msg (P1_RETRANSMIT): 202.x.x.x:500->113.10.105.239:2524, len=392
Luke Low
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a KB about setting up the FortiGate for Cisco VPN client:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30166&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=10769391&stateId=0 0 10767886
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if cisco vpnclient works with the fortigate, how about the other way around? Does forticlient works with cisco ASA or IOS routers?
just curious
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well yes, i have not tried it,
but you need to install FortiClient with a switch,
then forticlient will support Cisco Unity:
Check this:'
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32514&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=10887644&stateId=0 0 10889654
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very nice!
is says:
" msiexec /i FortiClient.msi IKEVENDORID=CISCO-UNITY"
i.e. you need the .msi format download, not the .exe as usual.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Fortinet Fiber Transeiver not showing UP 222 Views
- Client VPN IPSEC with FortiClient fail 368 Views
- Dynamic vlan assignment with Cisco ISE 456 Views
- fqdn issue for aruba central 151 Views
- ffdb config-error-log appear after fortigate 201F... 695 Views
Labels
-
FortiGate
5,068 -
FortiClient
1,030 -
5.2
801 -
5.4
639 -
FortiManager
475 -
6.0
416 -
5.6
362 -
FortiAnalyzer
322 -
6.2
251 -
FortiSwitch
239 -
FortiAP
236 -
FortiClient EMS
204 -
FortiAuthenticator
197 -
5.0
196 -
FortiMail
195 -
6.4
128 -
FortiWeb
112 -
FortiGuard
79 -
FortiGateCloud
76 -
FortiSIEM
68 -
FortiCloud Products
66 -
FortiNAC
65 -
4.0MR3
64 -
FortiToken
53 -
Customer Service
53 -
Wireless Controller
42 -
FortiADC
35 -
FortiProxy
30 -
FortiDNS
30 -
FortiGate v5.4
29 -
Fortivoice
29 -
FortiSwitch v6.4
25 -
FortiConnect
25 -
FortiExtender
25 -
FortiEDR
24 -
FortiSandbox
22 -
FortiWAN
17 -
FortiConverter
17 -
FortiSwitch v6.2
14 -
FortiMonitor
11 -
FortiPortal
11 -
FortiGate v5.2
10 -
FortiCASB
10 -
FortiManager v5.0
9 -
FortiDDoS
9 -
4.0MR2
9 -
FortiSOAR
8 -
FortiGate v5.0
7 -
FortiAnalyzer v5.0
7 -
FortiRecorder
7 -
4.0
7 -
RMA Information and Announcements
5 -
FortiBridge
5 -
FortiCarrier
4 -
3.6
4 -
FortiManager v4.0
4 -
FortiWeb v5.0
3 -
FortiDirector
3 -
FortiCache
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
FortiAI
2 -
FortiTester
2 -
FortiScan
2 -
FortiGate v4.0 MR3
2 -
4.0MR1
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiHypervisor
1 -
FortiNDR
1 -
FortiManager-VM
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.