I have a little problem. Im trying to create an IPsec Tunnel between a FortiGate and a Cisco Server. I followed the instructions of some Tutorials on the Internet and now im pretty sure my conifiguration should be complete. But there is no connection beeing astablished between the two. When i try to debug over on the cisco router, nothing is showing. Over the FortiGate i get these debug messages:
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: out 6EC9EDD99829A03F0000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C8000500001AB1E0A025C430143A57C3B697114DE4A30A8BE55911821424B7ADD57FEDCE5086AB50917ACCE4C3E44FFF4180F290B138ED04344D9D83BBB91324486B9C96EA0AFA3B484F51B6348790437AA3913D71834ADEC9E48536A07A2EE421A5029D3EBF25DED3377C54A23649265FFDD25EB019A018059E13BC23F2EFF4189D61F7792D21B4CCD6244866C6E2FF5663A74BB96EFD699309A48F5644BDCBCEB8EAFD71734E67ED91693D1705C2387B120143E4C564B4828E362A94C680E94D1AEF90392900002478D5BCE1FE4DCC7FC8602DEAC449195B139C8CA4CC7BC35DC2B13782AA5D6765290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:97: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=6ec9edd99829a03f/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike shrank heap by 159744 bytes
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: out 6EC9EDD99829A03F0000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C8000500001AB1E0A025C430143A57C3B697114DE4A30A8BE55911821424B7ADD57FEDCE5086AB50917ACCE4C3E44FFF4180F290B138ED04344D9D83BBB91324486B9C96EA0AFA3B484F51B6348790437AA3913D71834ADEC9E48536A07A2EE421A5029D3EBF25DED3377C54A23649265FFDD25EB019A018059E13BC23F2EFF4189D61F7792D21B4CCD6244866C6E2FF5663A74BB96EFD699309A48F5644BDCBCEB8EAFD71734E67ED91693D1705C2387B120143E4C564B4828E362A94C680E94D1AEF90392900002478D5BCE1FE4DCC7FC8602DEAC449195B139C8CA4CC7BC35DC2B13782AA5D6765290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:97: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=6ec9edd99829a03f/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:97: negotiation timeout, deleting
ike 0:IPSEC: connection expiring due to phase1 down
ike 0:IPSEC: deleting
ike 0:IPSEC: deleted
ike 0:IPSEC: schedule auto-negotiate
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: created connection: 0x145abce0 8 20.113.40.21->20.113.40.20:500.
ike 0:IPSEC: IPsec SA connect 8 20.113.40.21->20.113.40.20:500 negotiating
ike 0:IPSEC: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: out 25F1DAA2481EBB520000000000000000212022080000000000000150220000300000002C010100040300000C0100000C800E01000300000802000006030000080300000D0000000804000005280000C800050000E5E6E45C1C2AAC1B16D9D1497DB451408C1F7041DE5D24785DE3C4BCE464C60B493B9A599B076274FB6A310657B68CBF71E848665A35DB1548F5C95F5238DF25B173D8D7A92E64E58440F653C3AC32C02E70DFCFD3D55D46218218AF3E1A6915BC739B819605B649DA3642F19A564E3286B6EF7F06987111058770872EACAE97D98B26099702D0EDB59331D1A28D11CE86AF1303BB53CB1A95EB594A861CBA19AB40F90163FCEF81DCC5FC3304D387D97B8F1B9C5FBF4E95589195B044C6BBF8290000248B568E16865D829CD52EE42D9BFE59287049E7F6837D81C4F3632F613646C068290000080000402E290000080000F020000000080000F021
ike 0:IPSEC:98: sent IKE msg (RETRANSMIT_SA_INIT): 20.113.40.21:500->20.113.40.20:500, len=336, id=25f1daa2481ebb52/0000000000000000
ike 0:IPSEC:PHASE2: IPsec SA connect 8 20.113.40.21->20.113.40.20:0
ike 0:IPSEC:PHASE2: using existing connection
ike 0:IPSEC:PHASE2: config found
ike 0:IPSEC: request is on the queue
ike 0:IPSEC:98: negotiation timeout, deleting
ike 0:IPSEC: connection expiring due to phase1 down
ike 0:IPSEC: deleting
ike 0:IPSEC: deleted
Has anyone some idea what could be wrong?
Thanks for the help!
Looks like FG40F has IKEv2 configured and it's not receiving anything form Cisco side. But IP addresses are next to each other. If Cisco side is receiving these, even if IKE version is not matching, you should see something in Cisco's debugging. I would check Cisco side if any filtering like ACL blocking/dropping packet from .21.
Could be wrong address or no crypto-map defined on the interface
I would do "debug crypto isakmp" on cisco IOS
Ken Felix
PCNSE
NSE
StrongSwan
I now have rewritten my cisco config because it was very messy from another use. Now when im doing "debug crypto isakmp" on the router i get:
ISAKMP: (0):peer matches *none* of the profiles
My configurations are:
Cisco:
redundancy
!
crypto ikev2 proposal PropFortiGate
encryption aes-cbc-256
integrity sha384
group 5
!
crypto ikev2 policy PolFortiGate
proposal PropFortiGate
!
crypto ikev2 keyring FortiGateKeyring
peer FortiGate
address 20.113.40.21
pre-shared-key *****
!
!
!
crypto ikev2 profile FortiGateProfile
match identity remote address 20.113.40.21 255.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FortiGateKeyring
!
no crypto ikev2 http-url cert
!
!
!
crypto logging session
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set FortiGateTS esp-aes esp-sha384-hmac
mode tunnel
!
!
!
crypto map MapFortiGate 10 ipsec-isakmp
set peer 20.113.40.21
set transform-set FortiGateTS
set pfs group5
set ikev2-profile FortiGateProfile
match address CiscoFortiGateCacl
!
!
!
!
!
interface Loopback0
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 20.113.40.20 255.0.0.0
standby 10 ip 20.113.40.19
standby 10 authentication md5 key-string 7 047A1E120724421A212A3727
standby 10 name HSRP
duplex auto
speed auto
no cdp enable
crypto map MapFortiGate
!
interface GigabitEthernet0/1
ip address 172.19.58.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ip access-list extended CiscoFortiGateCacl
permit ip 172.19.58.0 0.0.0.255 172.20.32.0 0.0.0.255
FortiGate:
config vpn ipsec phase1-interface
edit "IPSEC"
set interface "lan3"
set ike-version 2
set keylife 3600
set peertype any
set net-device disable
set proposal aes256-sha384
set localid "Fortinet1"
set dhgrp 5
set nattraversal disable
set remote-gw 20.113.40.20
set psksecret ENC NLegQuOUtTKUueykRqN+XTPlyLJu6CooJncYGV8ZxbEXmIg2c2bJD03+g+xeSU0OmA7Pwgm+l1A2xXTODcKUKF334emxCVzG7huuWgnmMeImOn1tzIrOnkPsgJDNo73emIiti9o2a+alLAyP0XNaMHPvNRVINty7UFAXCEc8NIMolioElxKG8zPNCxqhwAp8HDmBqA==
next
end
FortiGate-40F-3G4G # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "PHASE2"
set phase1name "IPSEC"
set proposal aes256-sha384
set pfs disable
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 172.20.32.0 255.255.255.0
set dst-subnet 172.19.58.0 255.255.255.0
next
end
Okay two quick things
1: I didn't think your can terminate a vpn on HSRP virt ip
2: in the fgt you have pfs disable but in the cisco you are calling up pfs "set pfs group5"
Ken Felix
PCNSE
NSE
StrongSwan
"ISAKMP: (0):peer matches *none* of the profiles"
Did you set up some remote peer id on your FGT but not no corresponding local peer id on the cisco?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi what Cisco router model and version using?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.