We have serious problems with keeping our VPN Tunnels up to our cisco devices.
After some time we see following errors in the fortigate log: Invalid ESP packet detected (HMAC validation failed).
cisco log: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3547 spi=8905364E seqno=00033572
Only solution is restarting the tunnel.
Fortigate is running 7.0.12
We tried upgrading our Cisco 2911 router firmware to 15.5 und disabled fortigate npu offloading with no success.
Attached you finde the Fortigate Tunnel config:
config vpn ipsec phase1-interface
edit Tunnel1
set interface "VLAN-XXX"
set local-gw xx.xx.xx.xx
set keylife 28800
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes256-sha256
set npu-offload disable
set dhgrp 21
set nattraversal disable
set remote-gw xx.xx.xx.xx
config vpn ipsec phase2-interface
edit "Tunnel1"
set phase1name "Tunnel1"
set proposal aes256-sha256
set dhgrp 21
set auto-negotiate enable
set keylifeseconds 3600
an the cisco configuration:
crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 21
lifetime 28800
crypto isakmp key xxx address xx.xx.xx.xx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set Tunnel-IPSEC esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile Tunnel-IPSEC
set transform-set Tunnel-IPSEC
set pfs group21
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Similar issue is described in the kb below:
You may consider to try to apply steps 5 - 7 and check whether the issue persists.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.