Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MISLuke
New Contributor

Cisco VPN with fortinet 200B

Hi, I am trying to setup a cisco vpn client version 5 to communciate with my fortinet 200B. But i get this error " negotiation failure ike Negotiate SA Error: ike ike [1074] ike 0:ciscovpn:15: no SA proposal chosen no SA proposal chosen" my phase 1 setup is 3DES-SHA1, group 5, xauth " enable as server" my phase 2 setup is 3DES-SHA1, group 2, enable replay, enable pfs. dialup clients are using 192.168.254.1-100 with subnet mask 255.255.255.0 internal lan is 192.168.10x.x with subnet mask 255.255.252.0 public ip of firewall is 202.x.x.x and able to ping and access https from internet to the public ip of firewall
Luke Low
Luke Low
22 REPLIES 22
MISLuke
New Contributor

Hi all, I managed to get the cisco vpn to work with fortinet 200B. The reason is there was a port fowarding done at my router end to the public ip of the firewall for udp port 500 & 4500 so once i remove it, all back to normal. The dialup clients range also change from 192.168.254.0/24 to 192.168.253.0/24. Now I have another problem. The user can get dhcp address of 192.168.253.1 say but cannot communicate/ping with my internal network though a policy has been opened for it to do so. any ideas on this?
Luke Low
Luke Low
ede_pfau
SuperUser
SuperUser

without information about your routes etc. it' s guessing time again; I' d guess the router routes the .253 out to the internet instead of into the tunnel. What does a traceroute give? What does the routing table look like (' get router info routing all' )?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
MISLuke
New Contributor

I run the ' get router info routing-table all' and it show the 192.168.253.1 is directly connected to the cisco vpn interface. When i run the tracert to 192.168.104.x it just show time out. If I ping to 192.168.104.x, it also time out. My firewall policy is set to allow all from 192.168.253.0/24 to 192.168.104.0/22 via the cisco vpn interface & another to return from 192.168.104.0/22 to 192.168.253.0 The only thing I did not set on the iphase1-interface for cisco vpn is the gateway and ipv4-split-include. Are these important? The split tunelling may be important but its more important for me to be able to ping/access the internal network first.
Luke Low
Luke Low
ede_pfau
SuperUser
SuperUser

So to clarify: 192.168.253.1 is the remote client using the Cisco VPN client software, trying to reach the 192.168.104.0/22 subnet = your LAN? Can you show me the policy, please? If you sniff on the tunnel end, do you see the pings coming? If you sniff on the internal interface, do you see the pings coming? If you do, do you see the replies coming on the internal interface? ...you get the idea?...

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
MISLuke
New Contributor

192.168.253.1 is the ip address that the cisco vpn got from the fortinet 200B after it successfully got connected to the cisco vpn tunnel. The policy u are referring to the firewall policy or the iphase configuration? Ok on the sniff side, can you share the command with me?
Luke Low
Luke Low
ede_pfau
SuperUser
SuperUser

I meant the policy allowing the traffic from the tunnel end into the internal LAN. You use the built-in sniffer on the CLI with " diag sniffer packet <interfacename> <protocol> <debug level>" in your case diag sniffer packet VPNinterface icmp 4 diag sniffer packet internal1 icmp 4 for both queries and replies if you don' t see anything try diag sniffer packet any icmp 4

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Carl_Wallmark
Valued Contributor

dont forget to turn " fastpath-sniffer" on if you are using a NPU interface, otherwise you wont see much in the sniffer !

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
MISLuke
New Contributor

Ok noted. I am outstation at the moment so will present the result tomorrow once i in office to get the sniff entries My interfaces all not NPU so don' t think need to run the ' fastpath-sniffer' .
Luke Low
Luke Low
MISLuke
New Contributor

I run the sniffer and below is part of the log FGT-200B # diag sniffer packet ciscovpn_0 none 4 interfaces=[ciscovpn_0] filters=[none] pcap_lookupnet: ciscovpn_0: no IPv4 address assigned 6.511992 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 6.512085 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 6.538227 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 6.538323 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 6.568107 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 6.568178 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 7.569405 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 7.570054 ciscovpn_0 -- 192.168.104.5 -> 192.168.253.1: icmp: echo reply 7.612378 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 7.613013 ciscovpn_0 -- 192.168.104.5 -> 192.168.253.1: icmp: echo reply 7.642487 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.5: icmp: echo request 7.643122 ciscovpn_0 -- 192.168.104.5 -> 192.168.253.1: icmp: echo reply 36.980555 ciscovpn_0 -- 192.168.253.1.64991 -> 192.168.104.5.53: udp 39 36.980664 ciscovpn_0 -- 192.168.253.1.2293 -> 192.168.104.5.110: syn 2314200404 36.981170 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2293: syn 3063532398 ack 2314200405 37.187906 ciscovpn_0 -- 192.168.253.1.2293 -> 192.168.104.5.110: ack 3063532399 37.189913 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2293: fin 3063532399 ack 2314200405 37.215136 ciscovpn_0 -- 192.168.253.1.2293 -> 192.168.104.5.110: ack 3063532400 37.216150 ciscovpn_0 -- 192.168.104.5.53 -> 192.168.253.1.64991: udp 55 37.217509 ciscovpn_0 -- 192.168.253.1.2293 -> 192.168.104.5.110: fin 2314200405 ack 3063532400 37.217895 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2293: ack 2314200406 55.412263 ciscovpn_0 -- 192.168.253.1.2301 -> 192.168.104.5.110: syn 1206674260 55.412786 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2301: syn 672853538 ack 1206674261 55.451111 ciscovpn_0 -- 192.168.253.1.2301 -> 192.168.104.5.110: ack 672853539 55.452121 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2301: fin 672853539 ack 1206674261 55.473605 ciscovpn_0 -- 192.168.253.1.2301 -> 192.168.104.5.110: ack 672853540 55.475229 ciscovpn_0 -- 192.168.253.1.2301 -> 192.168.104.5.110: fin 1206674261 ack 672853540 55.475618 ciscovpn_0 -- 192.168.104.5.110 -> 192.168.253.1.2301: ack 1206674262 62.307293 ciscovpn_0 -- 192.168.253.1.52113 -> 192.168.104.5.53: udp 31 62.307824 ciscovpn_0 -- 192.168.104.5.53 -> 192.168.253.1.52113: udp 47 81.638035 ciscovpn_0 -- 192.168.253.1.56008 -> 192.168.104.5.53: udp 41 81.638806 ciscovpn_0 -- 192.168.104.5.53 -> 192.168.253.1.56008: udp 57 81.708493 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.206: icmp: echo request 86.809281 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.206: icmp: echo request 92.310340 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.206: icmp: echo request 104.104025 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 104.104552 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 105.104847 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 105.105363 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 106.112533 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 106.113051 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 107.115601 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 107.116119 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 123.552199 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 123.552274 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 123.575562 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 123.575640 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 123.606067 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 123.606129 ciscovpn_0 -- 192.168.103.2 -> 192.168.253.1: icmp: time exceeded in-transit 124.607116 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 124.607633 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 124.643718 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 124.644353 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 124.675325 ciscovpn_0 -- 192.168.253.1 -> 192.168.104.17: icmp: echo request 124.675836 ciscovpn_0 -- 192.168.104.17 -> 192.168.253.1: icmp: echo reply 124.735684 ciscovpn_0 -- 192.168.253.1.57668 -> 192.168.104.5.53: udp 45 124.931947 ciscovpn_0 -- 192.168.104.5.53 -> 192.168.253.1.57668: udp 45 There is just something I do not understand 192.168.103.2 is my interface connection to site to site vpn with my SAP area sitting outside of the company. do i need to create a static route? I created one but does not seems to be working. The static route is destination:192.168.104.0/22 to interface ciscovpn distance 10
Luke Low
Luke Low
ede_pfau
SuperUser
SuperUser

that looks OK, doesn' t it? you can reach .104.5 with ping, after setting up the tunnel (hence the 1 second delay in the beginning). You can even make DNS requests and POP3 to .104.5. .104.206 is apparently dead, .104.17 is alive. Do you still perceive network problems, or is your question solved?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors