sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set fortinet esp-3des esp-sha-hmac crypto map outside_map 10 ipsec-isakmp crypto map outside_map 10 match address 85 crypto map outside_map 10 set peer 10.x.x.x crypto map outside_map 10 set transform-set fortinet crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address 90 crypto map outside_map 20 set peer 10.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface EPORT isakmp enable EPORT isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
PCNSE
NSE
StrongSwan
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6, dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4), src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6, dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4), src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable!I can' t quite figure out what these messages are telling me. 10.48.5.94 is the Pix' s outside address and 10.48.4.6 is the Fortigate' s.
PCNSE
NSE
StrongSwan
dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4), src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),I see you where replying when I replied, does the above match the ACL85 and is identified in the FGT quick mode selectors? Also what are you doing with NAT?
PCNSE
NSE
StrongSwan
access-list 85 permit ip 10.74.33.0 255.255.255.0 host 199.38.8.88 access-list 95 permit ip 10.74.33.0 255.255.255.0 any nat (inside) 0 access-list 95 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 nat (EPORT) 10 0.0.0.0 0.0.0.0 0 0 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set fortinet esp-3des esp-sha-hmac crypto map outside_map 10 ipsec-isakmp crypto map outside_map 10 match address 85 crypto map outside_map 10 set peer 10.48.4.6 crypto map outside_map 10 set transform-set fortinet crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address 90 crypto map outside_map 20 set peer 10.28.0.227 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface EPORT isakmp enable EPORT isakmp key ******** address 10.28.0.227 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800After looking at this I think I need a nat (inside) 0 access-list 85 as well? The reason I only have the one host in ACL 85 is that we have other traffic to the 199. addresses currently going over the other tunnel that can' t go down for any length of time.
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.