- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSEC VPN with Cisco ASA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-22-2010 11:46 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC VPN with Cisco ASA
I’m trying to set up a VPN with a Cisco ASA, i’m using the following phase2 settings:
Destination address : 172.29.80.4
Destination port : 80
Protocol: 6
The Fortigate' s logging:
1:Intralot:37493080: initiate an SA with selectors: 192.168.3.0/255.255.255.0->172.29.80.4, ports=0/20480, protocol=6/6
1:Intralot: phase1 found
1:Intralot:37493081: received payloads HASH Notif
1:Intralot:37493081: received protected info
1:Intralot:37493081: protocol_id=3, notify_msg=14 (NO_PROPOSAL_CHOSEN), ispi_size=16
1:Intralot:37493081: spi=31b76a76aac42d0a99fcb41509f3ca22
1:Intralot:37493081: Msg=a4
The ASA’s logging:
Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 20480
Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, QM IsRekeyed old sa not found by addr
Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, checking map = outside_map, seq = 1...
Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:192.168.3.0 dst:172.29.80.4
They are expecting port 80 instead of 20480. What am I doing wrong here?
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like your phase 2 selectors (local & remote subnets) aren' t the same on each side.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-23-2010 04:30 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The other company also has a Fortigate, they tried the exact same configuration and it worked for them. They supplied me with screenshots of phase 1 and 2 and some logging of their ASA:
Feb 22 12:23:58 [IKEv1]: Group = 195.97.26.99, IP = 195.97.26.99, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 80
In this case it does show the port as 80 instead of 20480
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your network is different. The local subnet/group will be different for you. Did you change the config before installing it into your unit?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-23-2010 05:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I made the necessary changes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fortigate' s logging: 1:Intralot:37493080: initiate an SA with selectors: 192.168.3.0/255.255.255.0->172.29.80.4, ports=0/20480, protocol=6/6 1:Intralot: phase1 found 1:Intralot:37493081: received payloads HASH Notif 1:Intralot:37493081: received protected info 1:Intralot:37493081: protocol_id=3, notify_msg=14 (NO_PROPOSAL_CHOSEN), ispi_size=16 1:Intralot:37493081: spi=31b76a76aac42d0a99fcb41509f3ca22 1:Intralot:37493081: Msg=a4 The ASA’s logging: Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Received local Proxy Host data in ID Payload: Address 172.29.80.4, Protocol 6, Port 20480 Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, QM IsRekeyed old sa not found by addr Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, checking map = outside_map, seq = 1... Feb 22 11:33:41 [IKEv1]: Group = 82.175.129.3, IP = 82.175.129.3, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:192.168.3.0 dst:172.29.80.4This is where I would start looking.... Seems to me both sides have 192.168.3.0 as the local subnet. That' s wrong. One side has to be reversed...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-24-2010 02:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have gathered some more information, here' s a part of the Cisco ASA configuration:
access-list mtel_cryptomap; 1 elements
access-list mtel_cryptomap line 1 extended permit tcp object-group CallCenters_access eq www object-group MTEL_subs log informational interval 300 0x2c34e019
access-list mtel_cryptomap line 1 extended permit tcp host 172.29.80.4 eq www 192.168.3.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x085088d1
crypto map outside_map 2 match address mtel_cryptomap
crypto map outside_map 2 set peer 82.175.129.3
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
The person i' m trying to resolve this issue with noted that when he changes the access-list to permit everything the tunnel does work. So i' m assuming it has something to do with the Fortigate trying port 20480 instead of port 80.
Any thoughts?
Not applicable
Created on 02-24-2010 03:12 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have set up the same VPN on a different Fortigate (different model and firmware). The VPN gets up and I can connect to the host on port 80.
0:Intralot:115794:Intralot_PH2:1269641: initiator selectors 6 192.168.10.0/255.255.255.0:0->172.29.80.4:80
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Model is not so important. What are the firmware versions (working and not)?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never specify the port or protocol in the vpn setup, the firewall rule will handle this. But I would agreed that your left/right subnet are messed up.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- IPsec Tunnel is up but can... 67 Views
- VPN IPSEC Dialup Connection IKE v2 145 Views
- VPN IPSec between private peers ip 124 Views
- Two Ipsec Tunnels for Fortigate 233 Views
- Anyway to lab Fortigate? 163 Views
Labels
-
FortiGate
7,188 -
FortiClient
1,419 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.