Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Amgrim
New Contributor

Problem with IPSEC L2L betewen Fortigate and a Cisco ASR

Hi everyone, at this moment i have some problem with my tunnel ipsec betewen my Fortgate and a Router Cisco ASR.

My fortigate is running 5.2.7 version.

what i see so far, all configuration phase 1 and phase 2 its correct. When the peer remote try to estabilsh this tunel, this happen with sucess, but, if i force my fortigate to estabilsh this tunnel i got this error;

here is the log that i believe is the phase 1 OK;

ike 2:L2L-XXXXX-02:1401224921: peer identifier IPV4_ADDR 1.1.1.1 ike 2:L2L-XXXXX-02:1401224921: PSK authentication succeeded ike 2:L2L-XXXXX-02:1401224921: authentication OK ike 2:L2L-XXXXX-02:1401224921: established IKE SA f3dae8bfc4e9daf8/8099b52c50adf6a6 ike 2:L2L-XXXXX-02: HA send IKE connection add 2.2.2.2->1.1.1.1 ike 2:L2L-XXXXX-02:1401224921: HA send IKE SA add f3dae8bfc4e9daf8/8099b52c50adf6a6 ike 2:L2L-XXXXX-02: set oper up ike 2:L2L-XXXXX-02: schedule auto-negotiate ike 2:L2L-XXXXX-02:1401224921: no pending Quick-Mode negotiations

 

then i try to ping the ip address that i have in my phase 2 and i got this error;

ike 2:L2L-XXXXX-02:1401257287: notify msg received: NO-PROPOSAL-CHOSEN

 

but, like i sad early, if the peer remote try to estabilsh this tunnel, i got the status UP phase 1 and phase 2 and i can ping the other side, but i really need the fortigate to estabilish this and i dont know where is the error...

anyone have face a error like this before??

 

2 REPLIES 2
emnoc
Esteemed Contributor III

Will  with out any config or diagnostic it hard to determine. I'm assuming IOS-XE and not XR ?

 

Did you read my blog I built  3+ years ago about this? Note this is IKEv2 so  toggle that if you don't want IKEv2. I would also  restrict proposals to just that " proposal ", we ran into problems with  more than  6 proposal was in  the  offering and seen issues. I will post something in the future about that issues.

 

 

http://socpuppet.blogspot.com/2014/05/howto-asr-ios-xe-to-fortigate-ikev2.html

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
packetpusher
Contributor

Some vendors like Cisco

--------------------------- 

-do not support quick mode selectors 0.0.0.0/0

-do not support subnets with different subnet mask length

-expect a different SA (Phase 2) for each pair of local and remote protected subnets

 

Solution

---------

-define a different phase 2 for each pair of subnets

-define only one phase 2 and enable IKEv1 dynamic selector. Fortigate automatically creates the phase on demand

 

config vpn ipsec phase1 | phase1-interface

edit <VPN Name>

set mesh-selector-type subnet

end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors