Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kronberger
New Contributor

Problem with IPsec Tunnel between FortiGate 40F and Cisco Router

I have a little problem. Im trying to create an IPsec Tunnel between a FortiGate and a Cisco Server. I followed the instructions of some Tutorials on the Internet and now im pretty sure my conifiguration should be complete. But there is no connection beeing astablished between the two. When i try to debug over on the cisco router, nothing is showing. Over the FortiGate i get these debug messages:

 

ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: out 6EC9EDD99829A03F0000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C8000500001AB1E0A025C430143A57C3B697114DE4A30A8BE55911821424B7ADD57FEDCE5086AB50917ACCE4C3E44FFF4180F290B138ED04344D9D83BBB91324486B9C96EA0AFA3B484F51B6348790437AA3913D71834ADEC9E48536A07A2EE421A5029D3EBF25DED3377C54A23649265FFDD25EB019A018059E13BC23F2EFF4189D61F7792D21B4CCD6244866C6E2FF5663A74BB96EFD699309A48F5644BDCBCEB8EAFD71734E67ED91693D1705C2387B120143E4C564B4828E362A94C680E94D1AEF90392900002478D5BCE1FE4DCC7FC8602DEAC449195B139C8CA4CC7BC35DC2B13782AA5D6765290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:97: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=6ec9edd99829a03f/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike shrank heap by 159744 bytes
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: out 6EC9EDD99829A03F0000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C8000500001AB1E0A025C430143A57C3B697114DE4A30A8BE55911821424B7ADD57FEDCE5086AB50917ACCE4C3E44FFF4180F290B138ED04344D9D83BBB91324486B9C96EA0AFA3B484F51B6348790437AA3913D71834ADEC9E48536A07A2EE421A5029D3EBF25DED3377C54A23649265FFDD25EB019A018059E13BC23F2EFF4189D61F7792D21B4CCD6244866C6E2FF5663A74BB96EFD699309A48F5644BDCBCEB8EAFD71734E67ED91693D1705C2387B120143E4C564B4828E362A94C680E94D1AEF90392900002478D5BCE1FE4DCC7FC8602DEAC449195B139C8CA4CC7BC35DC2B13782AA5D6765290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:97: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=6ec9edd99829a03f/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: negotiation timeout, deleting
ike 0:IPSEC: connection expiring due to phase1 down
ike 0:IPSEC: deleting
ike 0:IPSEC: deleted
ike 0:IPSEC: schedule auto-negotiate
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: created connection: 0x145abce0 8 20.113.40.21->20.113.40.20:500.
ike 0:IPSEC: IPsec SA connect 8 20.113.40.21->20.113.40.20:500 negotiating
ike 0:IPSEC: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: negotiation timeout, deleting
ike 0:IPSEC: connection expiring due to phase1 down
ike 0:IPSEC: deleting
ike 0:IPSEC: deleted

 

Has anyone some idea what could be wrong?

 

Thanks for the help!

6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Looks like FG40F has IKEv2 configured and it's not receiving anything form Cisco side. But IP addresses are next to each other. If Cisco side is receiving these, even if IKE version is not matching, you should see something in Cisco's debugging. I would check Cisco side if any filtering like ACL blocking/dropping packet from .21.

emnoc
Esteemed Contributor III

Could be wrong address or no crypto-map defined on the interface

 

I would do "debug crypto isakmp" on cisco IOS

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Kronberger

I now have rewritten my cisco config because it was very messy from another use. Now when im doing "debug crypto isakmp" on the router i get:

ISAKMP: (0):peer matches *none* of the profiles

My configurations are:

 

Cisco:

redundancy
!
crypto ikev2 proposal PropFortiGate
 encryption aes-cbc-256
 integrity sha384
 group 5
!
crypto ikev2 policy PolFortiGate
 proposal PropFortiGate
!
crypto ikev2 keyring FortiGateKeyring
 peer FortiGate
  address 20.113.40.21
  pre-shared-key *****
 !
!
!
crypto ikev2 profile FortiGateProfile
 match identity remote address 20.113.40.21 255.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local FortiGateKeyring
!
no crypto ikev2 http-url cert
!
!
!
crypto logging session
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set FortiGateTS esp-aes esp-sha384-hmac
 mode tunnel
!
!
!
crypto map MapFortiGate 10 ipsec-isakmp
 set peer 20.113.40.21
 set transform-set FortiGateTS
 set pfs group5
 set ikev2-profile FortiGateProfile
 match address CiscoFortiGateCacl
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 20.113.40.20 255.0.0.0
 standby 10 ip 20.113.40.19
 standby 10 authentication md5 key-string 7 047A1E120724421A212A3727
 standby 10 name HSRP
 duplex auto
 speed auto
 no cdp enable
 crypto map MapFortiGate
!
interface GigabitEthernet0/1
 ip address 172.19.58.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ip access-list extended CiscoFortiGateCacl
 permit ip 172.19.58.0 0.0.0.255 172.20.32.0 0.0.0.255

 

FortiGate:

 

config vpn ipsec phase1-interface
    edit "IPSEC"
        set interface "lan3"
        set ike-version 2
        set keylife 3600
        set peertype any
        set net-device disable
        set proposal aes256-sha384
        set localid "Fortinet1"
        set dhgrp 5
        set nattraversal disable
        set remote-gw 20.113.40.20
        set psksecret ENC NLegQuOUtTKUueykRqN+XTPlyLJu6CooJncYGV8ZxbEXmIg2c2bJD03+g+xeSU0OmA7Pwgm+l1A2xXTODcKUKF334emxCVzG7huuWgnmMeImOn1tzIrOnkPsgJDNo73emIiti9o2a+alLAyP0XNaMHPvNRVINty7UFAXCEc8NIMolioElxKG8zPNCxqhwAp8HDmBqA==
    next
end

FortiGate-40F-3G4G # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "PHASE2"
        set phase1name "IPSEC"
        set proposal aes256-sha384
        set pfs disable
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 172.20.32.0 255.255.255.0
        set dst-subnet 172.19.58.0 255.255.255.0
    next
end

 

 

emnoc
Esteemed Contributor III

Okay two quick things

 

1: I didn't think your can terminate a vpn on HSRP virt ip

 

2: in the fgt you have pfs disable but in the cisco you are calling up pfs "set pfs group5"

 

Ken Felix



PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090

"ISAKMP: (0):peer matches *none* of the profiles"

Did you set up some remote peer id on your FGT but not no corresponding local peer id on the cisco?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ago_icaar
New Contributor

Hi what Cisco router model and version using?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors