- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Site to Site VPN - Phase 2 Failure (Network Diagra...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN - Phase 2 Failure (Network Diagram Attached)
Good Afternoon,
I am trying to bring up a site to site vpn between a Cisco device and a Fortigate 60D 5.4.5. Phase1 is coming up fine, but phase 2 is not establishing and giving me the error: ike 0:vpn2mpls:32522: notify msg received: NO-PROPOSAL-CHOSEN ike 0:vpn2mpls:32522:vpn2mpls:22985: IPsec SPI 2230d800 match ike 0:vpn2mpls:32522:vpn2mpls:22985: delete phase2 SPI 2230d800 All the phase1, phase 2 configuration security parameters match, and the subnet selectors match. The static routes, and firewall policy match as well. The Cisco side of the connection says they are not seeing any phase2 traffic reach the Cisco device. I attached a image of the visio I created. FORTINET PHASE 1: config vpn ipsec phase1-interface edit "vpn2mpls" set interface "wan1" set keylife 3600 set peertype any set proposal 3des-md5 set comments "VPN Phase 1 connection to MPLS network" set dhgrp 1 set remote-gw 1.1.1.1 set psksecret ENC m05/qVmjVXqW1L6IZ1rBcdi2OOKAyKU+wGMQ1vtFHkPOKbBrSiEUc8r3qkO1OkE9VWgMMmw7wUQRoWLordYVWylwvgVtPRFqjUqSEUIQo8wWZZZpfTjC0PcmT29BQaEh9jsYX7BIa0skCsHPVQ33Mbk2XV1+6RAx12GULzhuR56ujahzvGaRS1uvIJcHacbQz8Tx0Q== next end
FORTINET PHASE 2
edit "vpn2mpls" set phase1name "vpn2mpls" set proposal 3des-md5 set dhgrp 1 set auto-negotiate enable set keylife-type both set comments "VPN Phase 2 connection to MPLS network" set keylifeseconds 3600 set keylifekbs 216000 set src-subnet 192.168.19.0 255.255.255.0 set dst-subnet 192.11.11.0 255.255.255.0 next end
CISCO CONFIGURATION:
crypto keyring V1519:ccwho-50072066 vrf V1519:ccwho
description ABC Comp - XYZ Site
pre-shared-key address 1.1.1.2 key psksecret-fake
crypto isakmp profile V1519:ccwho-50072066
vrf V1519:ccwho
keyring V1519:ccwho-50072066
match identity address 1.1.1.2 255.255.255.255 V1519:ccwho
crypto ipsec transform-set V1519:ccwho-50072066 esp-3des esp-md5-hmac
crypto map V1519:ccwho 20 ipsec-isakmp
set peer 1.1.1.2
set security-association lifetime kilobytes 216000
set transform-set V1519:ccwho-50072066
set pfs group1
set isakmp-profile V1519:ccwho-50072066
match address V1519:ccwho-50072066
!
ip access-list extended V1519:ccwho-50072066
permit ip 192.11.11.0 0.0.0.255 192.168.19.0 0.0.0.255
Labels:
- Labels:
-
5.4
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess they are wrong if they say that no "phase 2" traffic reaches their gateway, because they are sending the notify message to the FortiGate but anyway - from the first look you have enabled the key lifetime both data and seconds, but not on the Cisco side. Maybe change that and try again. Also is the FortiGate behind a NAT or did you mask the ip addresses? Maybe NAT traversal needs to be enabled on both gateways.
Edit: I advise you not to use 3DES and MD5 in the proposal, they are considered broken
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried removing the timers, however I was able to get the debugs from the Cisco Side and they show the following: VAS-GATEWAY#debug crypto ipsec Crypto IPSEC debugging is on VAS-GATEWAY# *Aug 31 13:12:03.047: IPSEC(validate_proposal_request): proposal part #1 *Aug 31 13:12:03.047: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 1.1.1.2:0, remote= 1.1.1.1:0, local_proxy= 192.11.11.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.19.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Aug 31 13:12:03.051: Crypto mapdb : proxy_match src addr : 192.11.11.0 dst addr : 192.168.19.0 protocol : 0 src port : 0 dst port : 0 *Aug 31 13:12:03.051: map_db_check_isakmp_profile profile did not match *Aug 31 13:12:03.051: Crypto mapdb : proxy_match src addr : 192.11.11.0 dst addr : 192.168.19.0 protocol : 0 src port : 0 dst port : 0 *Aug 31 13:12:03.051: map_db_check_isakmp_profile profile did not match *Aug 31 13:12:03.051: map_db_find_best did not find matching map *Aug 31 13:12:03.051: IPSEC(ipsec_process_proposal): proxy identities not supported
I am thinking that is has to do with the subnets not matching up somehow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay at least good to know that only phase 2 is failing. I just googled an example and in the cookbook from Fortinet the preview of the CLI lists the subnetmask normal (255.255.255.0 and not 0.0.0.255)
http://cookbook.fortinet.com/wp-content/uploads/FortiGate/ipsec-fgt-cisco/C8.png
Maybe worth to try and swap them around :)
Also if the remote partner is a good guy you could ask him to implement it via VTI, then you don't have to worry about the selectors ever again. (http://kb.fortinet.com/kb/documentLink.do?externalID=FD34846 ignore the OSPF in this article if you don't need it)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution. I used Option#2 from this article from Cisco: https://supportforums.cisco.com/t5/security-documents/l2l-vpn-troubleshooting-quot-ipsec-policy-inva...
Cut and paste from ARticle:
Solution:The problem here is that the Crypto Map is referencing the ISAKMP Profile "RouterA", which means that during Phase1 the Remote Router should match the ISAKMP Profile.
A common mistake is that while defining the "match" statement in the ISAKMP Profile the POST-NAT address of the Remote Peer is used and the ISAKMP profile never gets matched as seen above. This results in Phase2 failure with error 32.
This can be fixed in two ways
Option 1:Remove the ISAKMP profile reference from the Crypto Map, however this is probably not the best approach. The ISAKMP profiles provide great flexibility therefore Option 2 as below is a better option.
Option 2:A. Modify the "match.." statement in the ISAKMP profile to match the address as being sent by the Remote peer. As seen from the above debugs , this address is 10.1.1.1. So the below config will fix the problem
crypto isakmp profile RouterA
no match identity address 172.31.1.100 255.255.255.255
match identity address 10.1.1.1 255.255.255.255
B. However the above solution can represent a problem, when the Remote Peer has a DHCP assigned address. In this case a better approach can be to configure the Remote Router to send its hostname as the ISAKMP Identity instead of "IP Address".
On Cisco devices this can be configured as
crypto isakmp identity hostname
Modify "Router C" config as below
crypto isakmp profile RouterA
no match identity address 172.31.1.100 255.255.255.255
match identity host RouterA
The above will fix the problem and the solution will keep working even if RouterA's WAN IP changes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, did you go with Option A or B? Because I'm not aware of setting something like a hostname in the phase 2 settings on the FortiGate. But defining the local IP of the FGT instead of the NAT address makes sense to me.
Thank you for posting the solution to your problem!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NetworkVA wrote:*Aug 31 13:12:03.051: map_db_check_isakmp_profile profile did not match *Aug 31 13:12:03.051: map_db_find_best did not find matching map *Aug 31 13:12:03.051: IPSEC(ipsec_process_proposal): proxy identities not supported
Umm.. no isakmp profile matched...but you have a match address.. i've two guesses
1) since you have specified set keylife-type both on FGT i would double check that the default on cisco box it's 3600 secs since you do not have an explicit statement in your isakmp profile..
2) explicitate set local-gw in phase1 on FGT
BTW if "VTI tunnel protection" it's supported on cisco box I would prefer that as per OHEIGL suggestion.
Regards,
Antonio
Related Posts
- FortiGate 30E Slow connection via NAT 147 Views
- Routing Issue on FortiGate 7.2.8 185 Views
- Connecting Two SIP Trunks with Different... 235 Views
- RDP connection via ssl vpn 334 Views
- dynamic ipool change - SNAT fort... 221 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.