ditto And make sure ACL85 matches the Fortinet src/dst address. Btw great job explaining the problem and the screen shots.

Thanks for the quick responses! It' s my understanding (from this site) that the FGT Phase 2 section is the " crypto map" settings on the PIX. I have Group 2 in Phase 1 on the FGT and isakmp policy 10 sections and no group settings in Phase 2 or crypto map.

I enabled debug on the Pix and am getting the following messages:

 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
   (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
     dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
     src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
     protocol= ESP, transform= esp-3des esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
 IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found
 IPSEC(validate_proposal_request): proposal part #1,
   (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
     dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
     src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
     protocol= ESP, transform= esp-3des esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
 IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found
 
 ISAKMP: IPSec policy invalidated proposal
 ISAKMP (0): SA not acceptable!
 

I can' t quite figure out what these messages are telling me. 10.48.5.94 is the Pix' s outside address and 10.48.4.6 is the Fortigate' s.

That' s fine the diffie-helman group matches the PIX policy, but if you enable pfs on one, you have todo the other. It' s how it crafts news keys exhchange for the ph2-SAs and ensure " secrecy" so to speak But after looking at your posting, & after relooking it over again & closer, it' s 100% correct as-is. What the status of the vpn from the PIX? and fortigate ? Did you enable any diagnostics? Also are you using nat-control? And if yes do you have any nonat acls map to the interfaces. or whatever your sources are coming from? e.g ( assuming acl 85 is left and right subnet aka local remote in open/strong-swan lingo ) access-list nonat_inside permit ip " yourside-sources" " fgt-detsination" # # then apply it to the appropiate interfaces # nat (inside) 0 acces-list nonat_inside NOTE: that 0 behind the nat statements means DO NOT NAT THIS Now give us a the followng or at least make sure it matches what your doing show run access-list show run crypto map show crypto isakmp show crypto ipsec sa show crypto map Final hint if you have p2 between pix and fgt, the SA number will match.

dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4), src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),

I see you where replying when I replied, does the above match the ACL85 and is identified in the FGT quick mode selectors? Also what are you doing with NAT?

 access-list 85 permit ip 10.74.33.0 255.255.255.0 host 199.38.8.88
 access-list 95 permit ip 10.74.33.0 255.255.255.0 any
 
 nat (inside) 0 access-list 95
 nat (inside) 10 0.0.0.0 0.0.0.0 0 0
 nat (EPORT) 10 0.0.0.0 0.0.0.0 0 0
 
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
 crypto map outside_map 10 ipsec-isakmp
 crypto map outside_map 10 match address 85
 crypto map outside_map 10 set peer 10.48.4.6
 crypto map outside_map 10 set transform-set fortinet
 crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
 crypto map outside_map 20 ipsec-isakmp
 crypto map outside_map 20 match address 90
 crypto map outside_map 20 set peer 10.28.0.227
 crypto map outside_map 20 set transform-set ESP-3DES-SHA
 crypto map outside_map interface EPORT
 isakmp enable EPORT
 isakmp key ******** address 10.28.0.227 netmask 255.255.255.255 no-xauth no-config-mode
 isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode
 isakmp identity address
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption 3des
 isakmp policy 10 hash sha
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 isakmp policy 20 authentication pre-share
 isakmp policy 20 encryption 3des
 isakmp policy 20 hash sha
 isakmp policy 20 group 2
 isakmp policy 20 lifetime 28800
 

After looking at this I think I need a nat (inside) 0 access-list 85 as well? The reason I only have the one host in ACL 85 is that we have other traffic to the 199. addresses currently going over the other tunnel that can' t go down for any length of time.

That' s find, but acl 95 is going to be bad sooner or later; I think what you need; ! access-list 85 permit 10.74.33.0 255.255.255.0 199.38.8.0 255.255.248.0 ! ! access-list nonat_inside 10.74.33.0 255.255.255.0 199.38.8.0 255.255.248.0 access-list nonat_inside 199.38.8.0 255.255.248.0 10.74.33.0 ! you don' t need the 2nd line , the cisco is smart enough to match either diretion ! nat (inside) 0 access-list nonat_inside I typically craft nonat_ACLs use the following " nonat_`interfacename-here`" Also ensure traffic is NOT NAT thru the vpn-ipsec unless you really want to NAT/PAT it. Only place traffic specifically that should be NAT' d Your 95, pretty much says anything e 10.74.33.0/24 to any DO NOT NAT Is that what you really want ? correction I MEANT NOT NAT' d