Hi forti users,
I have big issue when trying to implement VPN ispec wtih fortigate80C and cisco ASA. I dont have acces to the ASA. after all configuration when I try to bring up the VPN i receive this debug message below and the VPN doesn't work:
ike 0:IPsec2ASA: carrier down
ike shrank heap by 126976 bytes
ike 0:IPsec2ASA: auto-negotiate connection
ike 0:IPsec2ASA: created connection: 0xa4f0878 3 localIP->remoteIP:500.
ike 0:IPsec2ASA:9295: initiator: main mode is sending 1st message...
ike 0:IPsec2ASA:9295: cookie 0f15990e0bced5d6/0000000000000000
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D600000000000000000110020000000000000001080D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000148299031757A36082C6A621DE0005010F
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i1send): localIP:500->remoteIP:500, len=264, id=0f15990e0bced5d6/0000000000000000
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=128
ike 0: in 0F15990E0BCED5D6AEE35B2C685B68810110020000000000000000800D00003800000001000000010000002C01010001000000240101000080010005800200028004000280030001800B0001000C0004000151800D00001490CB80913EBB696E086381B5EC427B1F000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:IPsec2ASA:9295: initiator: main mode get 1st response...
ike 0:IPsec2ASA:9295: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:IPsec2ASA:9295: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:IPsec2ASA:9295: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n
ike 0:IPsec2ASA:9295: negotiation result
ike 0:IPsec2ASA:9295: proposal id = 1:
ike 0:IPsec2ASA:9295: protocol id = ISAKMP:
ike 0:IPsec2ASA:9295: trans_id = KEY_IKE.
ike 0:IPsec2ASA:9295: encapsulation = IKE/none
ike 0:IPsec2ASA:9295: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:IPsec2ASA:9295: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:IPsec2ASA:9295: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:IPsec2ASA:9295: type=OAKLEY_GROUP, val=1024.
ike 0:IPsec2ASA:9295: ISAKMP SA lifetime=86400
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B68810410020000000000000000E40A000084947ED556F658BE553DDA6E0DAB75401B8807B377684948DD540ADB67D8F4BB26AC1E6712B5704632EF77A7E222298C0C70CA8BBD346CCA22C54991714175A009EC86A8311709480B8645C5431DA5C1BCD18C99F429E8AA98DDA2C7AF7DC9A776ED98BFBFDBE551D8A09E9BEA9FF747B417887E0EE96CCD8BF1C348612D4C5C9682000014F90A47995AB52D4133548580109E749582000018F4FCCB5856D9FA1B16F9B34BBC05DF243FD0294E000000187CDC806405FA802111D5E74DA03356ADA9BB3293
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i2send): localIP:500->remoteIP:500, len=228, id=0f15990e0bced5d6/aee35b2c685b6881
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=304
ike 0: in 0F15990E0BCED5D6AEE35B2C685B68810410020000000000000001300A000084E1D2E9309D013F2517E25A37801793E9ABE3C604E0A7780DEADE07F39F8AF6DC20E0BB3CA4933F03FE09C2B7EF56A556E79D96880D4D04BA79DF158BC9125DBBE8DED40951A14EC04446A225155E8E2918976EBEBBED314455CF0B17DCA12741C752B854012A8AFFA4C7CD7818C64EA9A7121F7927D5E34AFD36648C37B95ACB0D0000185D5F98F5FBEFDECE2241DADA4C21FC9FC75B1B8D0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D0000145B24FC31685A6881EBB781B7518230B1820000141F07F70EAA6514D3B0FA96542A500100820000187CDC806405FA802111D5E74DA03356ADA9BB329300000018F4FCCB5856D9FA1B16F9B34BBC05DF243FD0294E
ike 0:IPsec2ASA:9295: initiator: main mode get 2nd response...
ike 0:IPsec2ASA:9295: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:IPsec2ASA:9295: peer supports UNITY
ike 0:IPsec2ASA:9295: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:IPsec2ASA:9295: VID unknown (16): 5B24FC31685A6881EBB781B7518230B1
ike 0:IPsec2ASA:9295: VID unknown (16): 1F07F70EAA6514D3B0FA96542A500100
ike 0:IPsec2ASA:9295: NAT not detected
ike 0:IPsec2ASA:9295: ISAKMP SA 0f15990e0bced5d6/aee35b2c685b6881 key 24:12CC6BCFC6A3C03E445D2A32D27B182589ECF4400783F4E8
ike 0:IPsec2ASA:9295: add INITIAL-CONTACT
ike 0:IPsec2ASA:9295: enc 0F15990E0BCED5D6AEE35B2C685B688105100201000000000000005C0800000C0100000029DB0BE20B000018A40B90B6D53A8FAFB9C5C159B9ED9140B154294D0000001C00000001011060020F15990E0BCED5D6AEE35B2C685B6881
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B6881051002010000000000000064CFBC03A101328796F08B92FBABED78C7547BAED5AEC4E3CCCB1A96A16FF8645690A96289D735A5E9D2D5BCDCD5F3BB2E2214F0C9610739453A2E645935733CDAFF3BA6BC139C4032
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i3send): localIP:500->remoteIP:500, len=100, id=0f15990e0bced5d6/aee35b2c685b6881
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B6881051002010000000000000054166397399289C45CC526182A29EE8D4CC0E6511DDAE6A68ADEBE5A876CB4F0557E65E71ABD73354AB9B972A05F55CB38392E2D88B9136E06
ike 0:IPsec2ASA:9295: initiator: main mode get 3rd response...
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B68810510020100000000000000540800000C01110000D58869120D0000184169AA7DDD14F58D70736B66F14366D175C8B88B00000014AFCAD71368A1F1C96B8696FC77570100
ike 0:IPsec2ASA:9295: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:IPsec2ASA:9295: DPD negotiated
ike 0:IPsec2ASA:9295: PSK authentication succeeded
ike 0:IPsec2ASA:9295: authentication OK
ike 0:IPsec2ASA:9295: established IKE SA 0f15990e0bced5d6/aee35b2c685b6881
ike 0:IPsec2ASA: set oper up
ike 0:IPsec2ASA: schedule auto-negotiate
ike 0:IPsec2ASA:9295: no pending Quick-Mode negotiations
ike 0:IPsec2ASA: carrier up
ike 0:IPsec2ASA:VPNPhase2: IPsec SA connect 3 localIP->remoteIP:0
ike 0:IPsec2ASA:VPNPhase2: using existing connection
ike 0:IPsec2ASA:VPNPhase2: config found
ike 0:IPsec2ASA:VPNPhase2: IPsec SA connect 3 localIP->remoteIP:500 negotiating
ike 0:IPsec2ASA:9295: cookie 0f15990e0bced5d6/aee35b2c685b6881:34a0b58e
ike 0:IPsec2ASA:9295:VPNPhase2:11600: initiator selectors 0 0:192.168.101.0/255.255.255.0:0:0->0:192.168.2.0/255.255.255.0:0:0
ike 0:IPsec2ASA:9295: enc 0F15990E0BCED5D6AEE35B2C685B68810810200134A0B58E00000120010000187EFF4E4361DE5F2523905A84D1E742D5E91AE93C0A0000340000000100000001000000280103040146FF4CDD0000001C010200008001000180020E1080040001800500018003000204000014D5745F25DDA81FDE2908DF7FF6101A39050000848EF247FF09A054A9B5CAE64880C7CBF6BE8B1BC2E097AC319911CD72508E4F7E80819C44AD
80E04766C518F02300933C241300F5416BF2534BF5913789E3D497043C1AE295FBE0E40C229D443D7D5941CCFBEF5B30FB6A63735CDE91C2AB105ACB85FF90DBB514A74B930F07A73B4B0D503C930A55815C2DB61EFAB9A967DEA0500001004000000C0A86500FFFFFF000000001004000000C0A80200FFFFFF00
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B68810810200134A0B58E00000124C8071A5965065417411B3FBC65946B21139B25696CFE1588BFFD994CE2F3D50AFBBAAA64ECD2F79A5C437E6793113A08D00D2EA875A27EA818FD9A142D9C87449F97ED375CCB7CE1E76F1D6889B23E1864C7F5F5DCDECF2E90BB6345FDCC9807F46734C035656B8D3B59B79AF01015A84F70A6B5DD7EF69D761A6DBCC35414469F2D7B6122DEAE1BE1D3C05E419A6CF0C68BECB28C8DD45DF836F4875A4A1D6CAA6481A619552DACDA701104878F74F9C4A343D1963606067722347D1D75A2D15C8BC2BF90F3806322F588BA1032E28ACA6CF62D8AD31F91FCB7DE51F8115B0DD50C1EE22F7A2E091E9612F17FF8D9DA2FD35673FA8462C449147E4A4EEA74B86CDA51525E261917
ike 0:IPsec2ASA:9295: sent IKE msg (quick_i1send): localIP:500->remoteIP:500, len=292, id=0f15990e0bced5d6/aee35b2c685b6881:34a0b58e
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=0f15990e0bced5d6/aee35b2c685b6881:883467b8 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B688108100501883467B800000054FEDAD0A3BA5D06537514042A3BD6A84B88210DF4B0D0660C1B8EC3D4AC6E6CC61DF8E72E93B27AE7C6446205B2A0D819379DC6ECBE85E7A7
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B688108100501883467B8000000540B0000181E068ACC9670F054FDF161E17D4C54E1C7E617D900000020000000010310000E0F15990E0BCED5D6AEE35B2C685B688134A0B58E
ike 0:IPsec2ASA:9295: notify msg received: NO-PROPOSAL-CHOSEN
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=0f15990e0bced5d6/aee35b2c685b6881:6473ccd5 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B6881081005016473CCD500000054BAC33C73492BE11188A5926E86C1F02A96ECDF7F69DE54DC2ED369C77EAD45449FF1FE95000EEA81349868BDECA0E4997D9E3B5076954D20
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B6881081005016473CCD5000000540C0000183B109FAEF711B2429CF35FC0B07C2CFAFD7042C90000001C00000001011000010F15990E0BCED5D6AEE35B2C685B688100000000
ike 0:IPsec2ASA:9295: recv ISAKMP SA delete 0f15990e0bced5d6/aee35b2c685b6881
ike 0:IPsec2ASA: deleting
ike 0:IPsec2ASA: flushing
ike 0:IPsec2ASA: flushed
ike 0:IPsec2ASA: deleted
ike 0:IPsec2ASA: set oper down
ike 0:IPsec2ASA: schedule auto-negotiate
ike 0:IPsec2ASA: carrier down
ike 0:IPsec2ASA: auto-negotiate connection
ike 0:IPsec2ASA: created connection: 0xa4f0878 3 localIP->remoteIP:500.
ike 0:IPsec2ASA:9296: initiator: main mode is sending 1st message...
here is my config and ASA config from their side
fortigate ASA
Encryption Algorithm 3DES 3DES
Hash Algorithm SHA SHA
Diffie-Hellman Group GROUP 2 GROUP 2
Encryption key Lifetime 86400 86400
PHASE 2
Encryption Method DES ESP-DES
Authentication Method MD5 ESP-MD5-HMAC
Lifetime 3600 3600
I really need help
thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The logs states that the firewalls could not negotiate a common phase2 proposal (auth+encr). I wonder how in the world one would choose DES and MD5 nowadays. Are you 100% sure it's not meant to be 3DES?
thanks ede_pfau for your answer,
by the way I have a question is there any difference between MD5 and esp-MD5-hmac and between DES and esp_DES. Maybe this is a stupid question but I'd like to know as it is my first time to work on that
thanks
No, I don't think these terms (vendor specific) denote different things - DES is a 56bit encryption, MD5 a hash algorithm.
Can you verify the Cisco settings, esp. "DES" instead of "3DES"?
I don't have access to the cisco ASA
I would find out who does and ask them to verify some things with you. Perhaps a webex to help you with the troubleshooting at the very least.
That would be the fastest way to resolve your issue.
Mike Pruett
Well, it wouldn't hurt your firewall or theirs to simply try 3DES - MD5, and then just clicking through a few random variations. If you hit the right combination you will have it up all weekend.
Hello everyone, the problem is solved. just had to disable the "PFS" I did not have that information. thank you to all
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.