Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎08-29-2011 06:43 AM

site to site vpn problem

Hi all, I have some big problems with mit Fortigate 300A on site A and our Cisco SRP521W on site B. We cant establish an site to site vpn connection... phase 1 looks good, but phase 2 didnt work... sometimes (~in summary 5,6 times) I get an error " no matching gateway for new request" for phase 2. but at the moment I dont get ANY error? I can only see the success messages from phase 1... and then nothin happen? log from fortigate: ike 0: comes 46.206.xxx.xxx:500->192.168.1.1:500,ifindex=5.... ike 0: IKEv1 exchange=Aggressive id=8752b1e752eef59d/0000000000000000 len=268 ike 0: found vpn_xxx_grz 192.168.1.1 5 -> 46.206.xxx.xxx:500 ike 0:vpn_xxx_grz:23191: responder: aggressive mode get 1st message... ike 0:vpn_xxx_grz:23191: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:vpn_xxx_grz:23191: negotiation result ike 0:vpn_xxx_grz:23191: proposal id = 1: ike 0:vpn_xxx_grz:23191: protocol id = ISAKMP: ike 0:vpn_xxx_grz:23191: trans_id = KEY_IKE. ike 0:vpn_xxx_grz:23191: encapsulation = IKE/none ike 0:vpn_xxx_grz:23191: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:vpn_xxx_grz:23191: type=OAKLEY_HASH_ALG, val=MD5. ike 0:vpn_xxx_grz:23191: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:vpn_xxx_grz:23191: type=OAKLEY_GROUP, val=1024. ike 0:vpn_xxx_grz:23191: ISKAMP SA lifetime=28800 ike 0:vpn_xxx_grz:23191: cookie 8752b1e752eef59d/2014dbacd5096597 ike 0:vpn_xxx_grz:23191: ISAKMP SA 8752b1e752eef59d/2014dbacd5096597 key 24:241ABB3CB5099BA10057E4DD5F59C827954DBBF16BE754AE ike 0:vpn_xxx_grz:23191: sent IKE msg (agg_r1send): 192.168.1.1:500->46.206.xxx.xxx:500, len=288 ike 0: comes 46.206.xxx.xxx:500->192.168.1.1:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=8752b1e752eef59d/0000000000000000 len=40 ike 0: found vpn_xxx_grz 192.168.1.1 5 -> 46.206.xxx.xxx:500 ike 0:vpn_xxx_grz: ISAKMP SA 8752b1e752eef59d/0000000000000000 not found for informational msg from 46.206.xxx.xxx ike 0:vpn_xxx_grz:23193: sent IKE msg (P1_RETRANSMIT): 192.168.1.1:500->46.206.xxx.xxx:500, len=288 ike 0: comes 46.206.xxx.xxx:500->192.168.1.1:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=71f51e9eed28fcf8/0000000000000000 len=40 ike 0: found vpn_xxx_grz 192.168.1.1 5 -> 46.206.xxx.xxx:500 ike 0:vpn_xxx_grz: ISAKMP SA 71f51e9eed28fcf8/0000000000000000 not found for informational msg from 46.206.xxx.xxx ppppppllllzzzzz anyone can help me? THANKS A LOT !
3649
0 Kudos
4 REPLIES 4
MTCI
New Contributor

Created on ‎08-29-2011 07:07 AM

When I' ve previously had to set up mixed vendor site to site VPN' s, on the FortiGate UI I' ve had to enter Phase 2 Quick Mode Selector (QMS) Source and Destination Address information - this was the internal addressing FYI. The remaining QMS fields were left untouched.
2191
0 Kudos
Not applicable

Created on ‎08-29-2011 07:16 AM

yeah I also added the internal addresses in the QMS fields. so these are my settings on my Fortigate on site A: Source Address: 192.168.21.0/24 (Subnet on LAN Interface Fortigate) Destination Address: 10.123.123.0/24 (Subnet behind the Cisco Router on site B) Edit: when I try to establish the tunnel from the Cisco on site B I get the above messages on my Fortinet on site A. When I try to establish the tunnel directly from the Fortinet, I can see the message " ike 0: ignoring request with invalid initiator cookie 46.206.xxx.xxx:500->192.168.1.1 5 cookie 0000000000000000/0000000000000000 exchange-type Informational" in my log... any ideas?
2191
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎08-29-2011 08:33 AM

Sounds like a bad IKE proposal or psk. Does the cisco show any thing within it' s log or debug when attempting this ipsec tunnel? Do you have the running config for the vpn portions within this cisco.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2195
0 Kudos
jtfinley
Contributor
In response to emnoc

Created on ‎08-31-2011 11:07 AM

Sounds like a bad IKE proposal or psk. Does the cisco show any thing within it' s log or debug when attempting this ipsec tunnel? Do you have the running config for the vpn portions within this cisco.
I second that, PSK. Retype it at both ends....also, turn of DPD on your side. Cisco doesn' t like DPD....my tunnels would bounce all the time. Joe
2195
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.