Hot!Site To Site VPN between Cisco 4421 and Fortigate 100F

Author
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
2021/03/24 17:40:51 (permalink)
0

Site To Site VPN between Cisco 4421 and Fortigate 100F

Hello Everyone new here
New to FortiGate also.
 
I am having a major issue getting a site to site VPN up but first I would like to tell me
 
how do you ping the other gateway from the Forti CLI? I see ping option but I don't get it
 
execute ping-options source 10.10.111.254 10.222.221.16
command parse error before '10.222.221.16'
Command fail. Return code -61
How do you write this syntax out completely to make it work?
Do you need to open ports in the firewall like Cisco e.g  ESP, IKE etc? before running the VPN wizard or custom? 
 
I cannot get phase 1 one to come up. 
 
Thanks
#1
Toshi Esumi
Expert Member
  • Total Posts : 2526
  • Scores: 241
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/24 21:01:31 (permalink)
0
Just like Cisco, use '?' for the options in any command lines, then you would see like below:
fg50e-utm (root) # exe ping-o source 10.10.111.254 ?
 <Enter>
So no further options are taken after the source IP because this command sets a specific IP for any pinging as its source. It takes only <Enter> after the source IP. Then you can run actual ping command. My ping can't get any response because your source IP doesn't exist on my FG50E. Also even if exists, it's not allowed by any policies.
fg50e-utm (root) # exe ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
^C
--- 4.2.2.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

For IPsec vpn debugging, you eventually need to learn how to run "ike debugging" explained in this KB:
https://kb.fortinet.com/k....do?externalID=FD46611
It's same as Cisco's "debug crypto xxx". So you can see what's failing during negotiations.
#2
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 08:26:58 (permalink)
0
Thank you Yes I did use the 
 
But I didn't understand that you had to hit enter and then execute another ping. Nowhere does it say that.
Thank you for the link. I will use this. 
#3
Toshi Esumi
Expert Member
  • Total Posts : 2526
  • Scores: 241
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 09:13:33 (permalink)
0
I have to admit FTNT's documentation is not perfect for many users. But once you start using them, you can understand why they built those commands in the particular ways. It's just different from Cisco IOS, or others.
In the CLI document for "ping-option", it says "Use this command to configure behavior of ping." Most people would understand It doesn't execute "ping" with this command.
https://docs.fortinet.com/document/fortimail/6.4.0/cli-reference/936917/ping-option
 
post edited by Toshi Esumi - 2021/03/25 09:19:28
#4
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 12:57:59 (permalink)
0
I see what you mean but this is vague. 
 
I knew that also but it doesn't say you need to run another complete command to get the ping to work
 
eg. cisco#ping 10.10.10.111.254 source 10.10.111.222.254 repeat etc... 
ok now FGT execute (why even say this??? ping-option source <ip> now enter? it goes blank to another command line that is NOT intuitive. It feels as if you accomplished nothing. WTF
 
FGT# execute ping-option source x.x.x.x enter 
now right back at the beginning with flashing cursor
FGT#_   
 
What the hell happened? Ok I see?? I gotta guess that it need another 400 characters to ping something
 
No I disagree that most new people would know. 
 
anyhow thanks I appreciate it.
 
Can you please tell me on the FortiGate side what the equivalent of these are on the Tunnel custom config
 
crypto ipsec transform-set TestSet esp-3des esp-md5-hmac
mode tunnel
 
 Is it just 3des and Md5?
 
Thank you
#5
Toshi Esumi
Expert Member
  • Total Posts : 2526
  • Scores: 241
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 17:31:27 (permalink)
0
Once you set the "poing-options source", unlike Cisco, you don't have to type the same "so x.x.x.x" when you make multiple pingings. Until you change the option again. The same goes with "traceroute-opotions". That's an advantage.
 
Either phase 1 or 2 config, when you hit '?' after "set proposal" you can see all options. It's self-explanatory.
xxx-fg1 (Phase1_Name) # set proposal ?
des-md5                       des-md5
des-sha1                      des-sha1
des-sha256                    des-sha256
des-sha384                    des-sha384
des-sha512                    des-sha512
3des-md5                      3des-md5
3des-sha1                     3des-sha1
3des-sha256                   3des-sha256
3des-sha384                   3des-sha384
3des-sha512                   3des-sha512
aes128-md5                    aes128-md5
aes128-sha1                   aes128-sha1
aes128-sha256                 aes128-sha256
aes128-sha384                 aes128-sha384
aes128-sha512                 aes128-sha512
aes128gcm-prfsha1             aes128gcm-prfsha1
aes128gcm-prfsha256           aes128gcm-prfsha256
aes128gcm-prfsha384           aes128gcm-prfsha384
aes128gcm-prfsha512           aes128gcm-prfsha512
aes192-md5                    aes192-md5
aes192-sha1                   aes192-sha1
aes192-sha256                 aes192-sha256
aes192-sha384                 aes192-sha384
aes192-sha512                 aes192-sha512
aes256-md5                    aes256-md5
aes256-sha1                   aes256-sha1
aes256-sha256                 aes256-sha256
aes256-sha384                 aes256-sha384
aes256-sha512                 aes256-sha512
aes256gcm-prfsha1             aes256gcm-prfsha1
aes256gcm-prfsha256           aes256gcm-prfsha256
aes256gcm-prfsha384           aes256gcm-prfsha384
aes256gcm-prfsha512           aes256gcm-prfsha512
chacha20poly1305-prfsha1      chacha20poly1305-prfsha1
chacha20poly1305-prfsha256    chacha20poly1305-prfsha256
chacha20poly1305-prfsha384    chacha20poly1305-prfsha384
chacha20poly1305-prfsha512    chacha20poly1305-prfsha512


 
#6
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:04:58 (permalink)
0
Now I see... Yes I agree that is an advantage! don't have to retype same thing over again.
 
Ok I have been trying for 4 days to get Phase 1 tunnel up with no success. I have only created VPN with Cisco to Cisco in the past and FTG to FGT. I realize this is a ridiculous amount  of time t do this but is is a learning process for me.
 
Please forgive me for some of the silly questions. 
 
I was trying to see the encryption and authentication in the GUI so I never saw the nice command line you showed me
thank you.
 
Ok here is the silly question
 
You have two column in your command line 
 
I only see the 3des-MD5 and you highlighted them does this mean it is a given that the esp is just not necessarily shown?
Taken from my Cisco config below. What is the hmac? I do not see this in FortiGate
esp-3des            esp-md5-hmac
 
A better question for me is what is the best one's to use between a FGT and Cisco Router
 
 
 
Both sides keep retransmitting Cisco of course is Death by retransmission" failure. I have been configuring the FTG via GUI in 6.4.4 and I don't think this is the best way. Can you please advise on these settings:
 
 
 
#7
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:20:11 (permalink)
0
ipsec is ipsec cisco to cisco or cisco to fgt is not that much different . IPSEC ESP is an open standard just match the ph1/ph2 and PSK and it should work.
 
 
Here's a sample ikev2 vpn cfg for ios
 
http://socpuppet.blogspot.com/2014/05/howto-asr-ios-xe-to-fortigate-ikev2_22.html
 
What have you done in regards to diagnostic on fgt and debug on ios?  Can you pop your configs here so we can look them over.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#8
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:57:02 (permalink)
0
Hi Ken
I agree but I am not sure exactly how to configure the Fortigate. I did run across your blog and was helpful very nice!
 
Yes I have done so many diags its making me confused. 
 
Here is output of the latest (20min ago) from the FortiGate. I don't now how to give you the FortiGate config

FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:2c79e6f0
ike 0:TestToCisco:8419:TestToCisco:2342: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020012C79E6F0000000FC01000014642F834F11E22E99D8D878397A19C8750A000034000000010000000100000028010304018772CC6A0000001C01030000800100018002A8C0800400018005000180030001040000141B29CA27D8817012DAFD6D427DD89B2A0500006470F9A8D3BE98E4D43599D2F6AB59DFD4FC8A5301159A7BC36A565A512CC1F493827F9D1C4A07BF48CBE9490E28755726A658CFE1EA03E583B17923C2376BD8CD428B21A4D3EE37CF233CB1B4D313EFDFCB6B0285856626459B78D922B7CED9480500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020012C79E6F000000104C7CA4D41C7AE844115AD088E0F23EEDD60F8CA6CAE5422ADD1DF97A4F39F48E8412332E9D1C23A27D59506626972C9E17E12B8E9373FDF28E329F01F53104FD196A9212A96A6C8B951055FAF308DD6E3F1AE5212BC9E7A822429D30498BC09ECA0A9C4D5BE5D4281F11D15FD75E40BDBEB9404A9B9137DE6F4F4360CB78BF36BF69B780362A9045B4E6AA2A782C991144092DB21445747CB6528C6F52C400852579448B5542C1C932D23FFA26841BDE5EBBED76825E7CD53D1147619171D946B1E5CA61EB99D0EBCA745C71AF6D8C61ECE4046663DE77A13B72E22A9743D38E7DC0B43BB0BDE55A8
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:2c79e6f0
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:095e1700 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501095E170000000054E5680DA1B598702A2D29E29B3B877CAECABC89AEFC76C5A612B7E3256B8274D56C15BB556E989A0FFBE4C92C5BD7FC0C172AD89357B963C5
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501095E1700000000540B0000148390A5991B91A36E99876DBC8CF8026E0000001C000000010304000E8772CC6A0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2342: IPsec SPI 8772cc6a match
ike 0:TestToCisco:8419:TestToCisco:2342: delete phase2 SPI 8772cc6a
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:430fdc29
ike 0:TestToCisco:8419:TestToCisco:2343: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001430FDC290000011C01000014C9C9A256E62EEA5AB50FF7725EFA8DF70A000034000000010000000100000028010304018772CC6B0000001C01030000800100018002A8C08004000180050001800300020400001476D3394610E67AD0F52AFC0A35C0BD4905000084999703F23585574871E0243C9CB7259BA7C773C7CF4EBB4E2781BDCDC83A5E1173306E868D24DAA0B1817EADCD7C62362F388F7C2BFC4A04BF1D30858C8C5FA06315B3AE63D4666678B172B8B6B5B813A55C24BF2F0CB403D2051433249B237E04B29F2B494A1DB267FB9BFB79E2568861EF3BFA53752899D529B7E6E78D9E620500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001430FDC29000001247E9E3CB355BF68B89BF0DB8A5B5D9D229C3388C617659C2D6EA5477BB80ECA43BA1125465721E6C12B0052F1162A712B7EFDE4560094F0B205C6109C4D33683440808CFBCC6D47A83CFECEAD87778734B4BB22ADB11CA8127971BFD7BC9E456CA3EDCB37A77939427F93C9A2EE9D7C5A37455278A3209D46A169D2E0F962B2F634B3CE9A85CCDD474B368AFAEF2DD3DFECA45F10A114E68F9E1035BD9093DC407AB7B784BF1CE220AA37477F64C07C2A605D7F0B3E65496AB192092ABD8599AED9BE85E7B7A4F5833975A0153231C376686E782150AAC4679A65D0BEBDBCCBC4415433024EB6BF604D13E595F7349EBCA03E03F8EA2A7201DC1DA911FB151552E6A2E2BF835B96D9
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:430fdc29
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:a8efb6d6 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000545F21E6DF6848312F43848840697D1A365A611DC169FFBCAC7004C287CD49FE482F5DBFD29692E53CCE38E9868A22213675D77ABB091AA617
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000540B0000142133CB437B790A3EE0D5CBC7B851DC980000001C000000010304000E8772CC6B0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2343: IPsec SPI 8772cc6b match
ike 0:TestToCisco:8419:TestToCisco:2343: delete phase2 SPI 8772cc6b
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:ac5c3ef8 len=372
ike 0: in E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF800000174E4256AD5994CEB6D46B8957D4D7F36D872765BD6C4D8BBAEB97D0BEDCE47576A047CC60452934257581A250635667DE9B06E2057DBBAE7B6A09BD9119CE0194B2529E2D5BC0F563CC1903F20B308ACA8FA10A8469F4E9523E4EFD1F461D8652AA822D10C0A7BD2E8B1FF558BC1096B8657FEA1A1F80414C72C65F4EC10177719DEE82D34CE0CC4B7CAE68E06C37EC17368F7A9672AAD6FBDA9BEB8D52E67D7F4E04466B3C87017190457F7206B93CD6D70982EE5F480D84DF918B25DFAC33EE80730498FABB88D4FD09E462DC4899CA8E0D2ED8A0BFEAEBBE742FB020AA6CEAEE9B539415BF065C41ED52D9B4567D5BB07B2F4429292E219544125DBFD7AB395998843056F52546E62E3280A02652DC45A0E4FBC243BFD8533FD8161064634A1B117BE3A78E681320429D402934FDD4C5E534C81185DD442C4D3C38B507335E67FC67B965B2E650F36134329BEF621274112D37AF9D2F0D0
ike 0:TestToCisco:8419:2344: responder received first quick-mode message
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF80000017401000014F6637A018BA26F9B57C86B800D13EA4A0A00004000000001000000010000003401030401B857445E0000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001812D887BE033F66505FEC6E63332409B953B17F2C050000C4183E20FE53D77105299300D3AA9B64F27A8325EF5F6DA543D2F491B503C24E19D268AC8A62A3CDD0E34FC96023E578E50F3357D1DCD8BD46B6542729E454E6BCA8E0BAFDBFED9A4399A037A0AB676F09422D070C9341C122AC331CFA5BD02DD95847D5FCE8C922FEE1496437D70CAE067677DC37612BE9083D7BC0CF3AE420CEE3F47FA9E72E2D467A3DF03901AC0ECA056A3E09A5A186786E32D6D5790343AA6375C0286E542C58E53FF377A440C907A1D490D161B7056E8BAD29C7DFF8F51005000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8419:2344: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8419:TestToCisco:2344: trying
ike 0:TestToCisco:8419:TestToCisco:2344: matched phase2
ike 0:TestToCisco:8419:TestToCisco:2344: autokey
ike 0:TestToCisco:8419:TestToCisco:2344: my proposal:
ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1:
ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 2
ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 2:
ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 1
ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2344: incoming proposal:
ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1:
ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 5
ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2344: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2344: no SA proposal chosen
ike 0:TestToCisco:2344: info_send_n2, type 14, peer SPI b857445e
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA000000400B000014DF90C33E1D5CB023CFED41CC793B962D00000010000000010304000EB857445E
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA00000044F58C08CCB5F7CF162A08803D302F852654593C59C78A5DAD81679CDE60BFCB95DA60313A42F12E28
ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:a422d4da
ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:7734a7fe
ike 0:TestToCisco:8419:TestToCisco:2346: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020017734A7FE000000FC01000014E59263C79CB39D9F64A0E4C0D296C99B0A000034000000010000000100000028010304018772CC6C0000001C01030000800100018002A8C080040001800500018003000104000014F7F0F96C6057ADE3DD6490031D1AEADB0500006451765C7A0F761528EAB2057EAC49C26E57DE3695AF52181C7A7D62AE698293E5FF42A668E21C30A24251E0DCBEAD6618646AC97DC25769867ADC667DA1478CF4D1E4DAC09E084A314E2203A51338A5DBBBCB26AD53B12DBBD6A354862D1A6F9A0500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020017734A7FE00000104FCBEB8BA845EFDCA9777DCDF7CD23305ADA17EDD8193207494BA44A4E02DC12F44C236DF9D84931A83A8B15DAA580F68F392D1BD1F7712653C18E899CDE626581776702D65E6902409EECD87C27C234A8D0819BFA425EC01A48563DD26D0A23DC72BECCD931C82230A091A4F1CDD55AC60649C81AB3D037B3B92E56B60E8B86B512C4232FEF31C23A97C96BE12BE5621030B7A43B006E45870A449CD4366F9A16A6B97A2A7EE0379BD5B01511EFEE219AFAB027ACB1616CB96C43C7840702A803BF6997724355548D30CB500B9F863723FFE2A2D1FAE59583A42C97D8DA222BE249FF1DBA6A63E9A
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:7734a7fe
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:1b71c169 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000543FD48B14CDD69F904F71CDD530251FAA5FD15DFAD516251ADC6713B845909A8C20202DC183C7ACA69A7FA08BC811E649B7AACB2D291D6452
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000540B000014FF287F9F70709A2E86888FBB2CE006220000001C000000010304000E8772CC6C0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2346: IPsec SPI 8772cc6c match
ike 0:TestToCisco:8419:TestToCisco:2346: delete phase2 SPI 8772cc6c
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:6ded900b
ike 0:TestToCisco:8419:TestToCisco:2347: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020016DED900B0000011C010000144DABBA48E8643A0C8A49FAA6B94581080A000034000000010000000100000028010304018772CC6D0000001C01030000800100018002A8C0800400018005000180030002040000146009F00211B216F0A196616CEC2A9FC00500008413DE6215E27F41550EB44360A01ED289728D41426B0C805366BC76AC26F3C1D6969B6E1075F5E5A81E360161296F1E03A3D5AD80B9E4B20B76896739B82DFC77E0F3EA032278F5AF9F78F2ECCEDD68593C6F6627A22E04C3701601B02EE15F54CA12263159BA058D396714EBF97E31D5E761CA3F1C8DD274958FDA1D29B8CD590500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020016DED900B00000124C58102521A586AF396ACC6C8B3626EA0686FF3B659A4546CA99A2CF3C2AD6FF197F02B1529D208CA217A0729C9B34894937FD9A1E7EC09EC6C35FBD9DA7DE6D04D217B4910BC164166D2C11FD389856E78822D467FB6E117028962AC502C53370219E4FF79CB9A5C3EDD72F34FD55554872242171D0B44A9124BD3DFD157CF8D7516D3FAD4ABF6080080994860A2372F7C7C7488CC5BDB3C5BFAE392592E379372196EB789BB113D1014F26B3B16A02AA89941D9B9CC707718864BF5CECE0AA9E64888DDEEFEA29E7368A33D3AF2B367F33998F8C55E1AB9F8DB0830104E7C0C7D484BC0ABBC08CAD1057452FCE295B78306EFD4C3C32AF33AA9399137C4AC75A201A2D5DBF2FA01
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:6ded900b
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:9003ece1 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019003ECE100000054D116CBBCA4F253AB44A2DE551B6CDD81BC77DDB55C4BF513893D16CB63A990BF2A1C3EE92687ED93C5C45E21F4655F154A5780CE1DDC3AB2
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005019003ECE1000000540B000014D1F615E7D6951B45C1FC42D5A3EB660F0000001C000000010304000E8772CC6D0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2347: IPsec SPI 8772cc6d match
ike 0:TestToCisco:8419:TestToCisco:2347: delete phase2 SPI 8772cc6d
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:93edfc52
ike 0:TestToCisco:8419:TestToCisco:2348: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810200193EDFC52000000FC01000014DA0836AFEA7F8E91D8A3606A624424080A000034000000010000000100000028010304018772CC6E0000001C01030000800100018002A8C0800400018005000180030001040000140E217CBDC76781A3A8A55DD8C35FF450050000648F844C4E598701EC61C1C116002D148AE8D01ABC520453D2D87335B1F946D72CE426188642635D07EA1A70D49B85EF1920780E0CE58D31EED7FF3B947C45E58F7B424F3948DACB3AE90F212A35314B1CF8B3621FB0B7546C382CD7B0015A018A0500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810200193EDFC5200000104C190B42142AEA0BA6B7E6DA34C3CB38643086D6CD9EF8F7D3A51D760C262A5C7C11A888D6085BEB81BBD3CF2F37567BD7692B3D06A72FF0E53D2D75F085F8A3C94A392ACFC9B7F2E71A4C3C195D8490F6CDE4AF4A2E59E719E0843B5EEBD4DADB8019E3F5DD175A843D23DA8730D3DB99BC586D52C30FDFD9D623B2A969D961584FE7F0EF745DF894B1103B65F603FB121C9D429935CA2ADAFFCE410D647F27B0CC5FD9570893BBA6F9DA6FB7A006320B566C8DD4F85C6972360604204835C43807B88A4C04ECF0C54882DB7E64D4D9F028A936ABCB12AB0C418D6BE152774617CBFD19CB62C899F
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:93edfc52
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:efdd7180 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501EFDD718000000054D25281361AE00AA7727737DDFA2EFF4B6B01C86ABFCFA0C2DA380A78A6F12B51086D74B7A30DD35C49174A900BC7D66373C40562ECF08651
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501EFDD7180000000540B000014028DEA19B2680A5483FDD27957584A4C0000001C000000010304000E8772CC6E0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2348: IPsec SPI 8772cc6e match
ike 0:TestToCisco:8419:TestToCisco:2348: delete phase2 SPI 8772cc6e
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:5b3ce712
ike 0:TestToCisco:8419:TestToCisco:2349: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020015B3CE7120000011C01000014AEBB7CFD8A72B51E68E2139CDD8676E90A000034000000010000000100000028010304018772CC6F0000001C01030000800100018002A8C0800400018005000180030002040000140529F1684B8A0D020EAC9CBB4A6A91B105000084DE99460056907B0F178C3D5F61AEC79A86FEBA6D001E27EF4620B97389F942BE6794C2E31E72F49687BA2555FA48826EDD2DD0C6D097B6E1489D0F3680A71E7BB9B85800186611D01ED07CAE8A603E4820EB7823A417D4F4CE57B97AF919A2E270B5A986DD7EB1F00A80DEC179FD5D814203A6E656720B0C43D7057F7A2558610500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020015B3CE712000001244A63B48A856F8F9A7C709F80124E7ECCD394AAFBA28B89EC93B4FA4A81FC5A1C6EF791B5BCC894BAA5E05BEBCA3C5082705458D0C895910AE70A5AD43EA1860DD921E8E0F66F0E234EB1ADCDAEE4DC1E189C9B2A3D3DAF6661935A218005FB16E170DFF933D8CC5283DA3784526C78FFA21E76C4F9D80006440E3B6465F8B473B4763A2FB65CF92D198E3623D5F0F1DCEB36FE2D8FCAC2EA889769054FDDCAB475C9EDFD75A7BB200DFC1EF201F0191BDE49396E570DD6A1A0648419EC442AB33FD58BFA818F14369722D570FE6E4F2A2FE7D7186A379AE6794A13C395C1C075A4C73E0DA2E877081A585478788B10E0C5ABA84B058DF2C33E8DFD554348F1FFD9A56A5320A870F4
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:5b3ce712
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:d6f9f483 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501D6F9F48300000054F6440D75353FBEB038B7DF6E92966CD8BEE4058D4E8D3D29B77C2335A214A784B3366B99B0390C9021D621881EFE56FF90E90E39D08F3679
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501D6F9F483000000540B0000142225AFCBB9BF6CA1429F476BA1AFAB2E0000001C000000010304000E8772CC6F0A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2349: IPsec SPI 8772cc6f match
ike 0:TestToCisco:8419:TestToCisco:2349: delete phase2 SPI 8772cc6f
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:a0ad94c5
ike 0:TestToCisco:8419:TestToCisco:2350: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C5000000FC010000144F903F723D5FA049271EA3EA5D285EF10A000034000000010000000100000028010304018772CC700000001C01030000800100018002A8C080040001800500018003000104000014CBC7B9EDCEDB5FB661FE6C9712EB131E050000643228D5849420D2D669559845FC406405D2FE74BE996205AC439624B7034B63C05A09620DD78A0E5FE1F993B40782AFD2DA6AB0C73CF62CA82137F85ABC30DADB09D1E6981295C07F946251AB2DDC2DF865E39FCE493E7CE957DA39A2D3416A000500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C500000104283F12122150DDE2ED09FF23225BDBFCAE5DFD204C221F6C7ACA0F81B7A1267CEEF8CA9B757AF8DC55D1171519728ACD5C78BA6076A74E801BEE12F1FD865E689E83DD71697D76296458D3AC26AED30A25A5B3D5B1D7D91A8BA1D9027AA32381CDC34874104381D78286A198DC9CB3E2A312D2BD55C5530C3407B3BA98C089D4948CAE9A899675C5435B6C748379E2D4AC4CFAA1E27B9174992DBBAD201C274D461E81D5B40CEC7923F1DE179716825F541D12E11CB06765939CB4B0D41852AB9B2F54A7BE8FEFCA8544D833C028BB19821932F4188D827943CFB346AC0CB4CA4B3E1F008BC6BF48
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:a0ad94c5
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:865ea391 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501865EA39100000054A3F362F18FA5DB4E9107FB801DAEAEADBD9A795E2D4627A45A006C7A0E4B1A5A191242A916765D311DE51D2D3057466C86C413CB14F097D9
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501865EA391000000540B000014C6CDDDBBF54CF092F9BBF29E08D183C60000001C000000010304000E8772CC700A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2350: IPsec SPI 8772cc70 match
ike 0:TestToCisco:8419:TestToCisco:2350: delete phase2 SPI 8772cc70
FORTIGATE #
FORTIGATE #
FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:d5bbad4c
ike 0:TestToCisco:8419:TestToCisco:2351: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C0000011C01000014B71BCC55BCF3243C560638B2B0B808030A000034000000010000000100000028010304018772CC710000001C01030000800100018002A8C0800400018005000180030002040000147CDA42BC6DE11D8B37DA3AD6CFA19F7C0500008494A25E5B4604053850C6A44946F79CC7B5D8C3280338A9FC2DFC2F822967498B64DC3D88F2473B1535D4E13D1FED648EB5E32380802BF53BB2A5BC859AADA715347681EAF0D64FC0A049C5A4FC3DB919B592A65B598080319C5C0E3950758C1C2E2BE9BCF7B1E9906990275436C06B46B48B4ABCB63A44362E0CD45EE93E545F0500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C000001240FC452C3AC0265998E238ACDEDFB3855F35A461AD5F5567D941D3B9F71B9467CC779F780C3DD2562C8165A3461F7630482B23BAEFBD1A93E0F5B0922A605EA962421CD08E6418F72071A2543988081BD9998F3D96A5ABFBF439EF84A25A0C687799EBFB0F8F048C64DC91841484C6CB8B7393F504F1D2CBB96FDA46AB1BBE42294441E185468A109F583BBFFC9E9C041375FAEF48DD82C851BA3AFDA2CFA0B37B6DDDE80A8FCD4262F3F88743B9D5FDA268DD0D446280673B7B3C18EB3096D48ACAB4A4A92CFF0E6144CAF0590473517AE844604737DC9832A4B7ED9EBDF83C02040E15A682517D81CF8490C43654F2C33BF82E0844E8CE643B97F81982747ABED62AD706BDA0F28
ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:d5bbad4c
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:97449610 len=84
ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019744961000000054D3B78F2AADC44A89FA432BA61445F46A8B5085416455CE917770C6F7F7311F345EE6EF8F6CE7A2765E36D809474FF8EF6AEB60A1FA2D9A0E
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC580810050197449610000000540B00001493F7090B12AE3559E9D2795DB14278B10000001C000000010304000E8772CC710A00003400000001000000010000000000000000
ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8419:TestToCisco:2351: IPsec SPI 8772cc71 match
ike 0:TestToCisco:8419:TestToCisco:2351: delete phase2 SPI 8772cc71
FORTIGATE #
FORTIGATE #
FORTIGATE #
FORTIGATE #
FORTIGATE #
FORTIGATE # diagnose debug disableike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:6403040c len=372
ike 0: in E0A58579A166E7011318BF0CE01DEC58081020016403040C0000017424DBF69B5DC275E4E2F6AC72F465D9EC60FDC3269DC0FB24766365D595D967BDA70A358090F622A1A6A2E07A0114C7105FEBA2E9C64A99B51C9441AEB05604039193813322D0748745036D961D65F5AAE8103A2FE4F180BD6BF4902F6303D769C7317D6D00C1917FA57941E5E4545E3E66487011F82D824D99D21AB359044255F525E452EAA26AF06B39734DD2D98A8DE84BBA1A8AC3D79E7EA9B60A4EDD4E53C2EFF1DC121EF19E350750CFC7D30AC3F72A8DF47911FA4B321FED76D7CAA5AC5FD9F25E2FBFC2864A551C7D8558BD2423AB81587556D231BBCABB7D9388BAA31DBA0D584125C7DAA1FF578A97D03D004A8D68BA29B138EC115728404FC3F5996D2603842816A71E28BA99F25A3D1C39888ABF614CE44B849501366B6DAA497EC6E52B0483B9D9A6D38D49EE42C309882A2FFE3F7F3F38754156433AD8236313E4BEE7DF170B4D6AE467E81A6C9938192A311F92FD17ABE8
ike 0:TestToCisco:8419:2352: responder received first quick-mode message
ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081020016403040C00000174010000141D10ADB5D4A1AF149E6DF682C5A986110A00004000000001000000010000003401030401BA0C1FA70000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018DCC6FFAF624B0BE390E7ADA16F557C57556C3D48050000C46C0E643AA6D748C2075F11652758D3395D18E5FEDEA48D9D97E0CF551F46A28F4AE78F39E47610A3107C2165134FC71F2B82DAFE5144D9AEEBFE05B012A874F7FB1DEBFEC16BCB2010FCD1392FAB6F273A8B651B924D2F1FB26A11D0331000E78D4DE438A9CC3574FB606D2ABDBFFD4612920DF4CA350D3DD95B538017526BCAF52C9DC7F81D6C1D1BC542DAC0F9FB4D8ADACD83848D9F4FC2128767ECDDB80F2BCF5E3EE85A7B676C498FEACA481CB78D1DCA72493A2FA151EEF94768CA6E6E05000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8419:2352: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8419:TestToCisco:2352: trying
ike 0:TestToCisco:8419:TestToCisco:2352: matched phase2
ike 0:TestToCisco:8419:TestToCisco:2352: autokey
ike 0:TestToCisco:8419:TestToCisco:2352: my proposal:
ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1:
ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 2
ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 2:
ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 1
ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2352: incoming proposal:
ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1:
ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 5
ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES
ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8419:TestToCisco:2352: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2352: no SA proposal chosen
ike 0:TestToCisco:2352: info_send_n2, type 14, peer SPI ba0c1fa7
ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810050100DCF74E000000400B0000142B1581DBF1D3AA3EDC336794C2DCBBA800000010000000010304000EBA0C1FA7
ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810050100DCF74E0000004429B41D74763307BD926AB02CBC1461BDEE103ED18E48FE3E28F04393B8DEE907DCCF7A9F8172AC86
ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:00dcf74e
ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder
 
 
___________________________________________________________________________________________CCisco Config
 
ISR4221#
ISR4221#sh run | begin isakmp
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <did not post key> address 0.0.0.0  <<<<< any address on purpose
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set security-association lifetime seconds 86400
set transform-set TS
!
!
interface Tunnel0
ip unnumbered GigabitEthernet0/0/1  <<<< this was numbered at one time. 
zone-member security LAN
tunnel source 50.250.102.118
tunnel mode ipsec ipv4
tunnel destination 73.107.235.45
tunnel protection ipsec profile VTI
 
 
debug :
 
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.250.102.118 73.107.235.45 QM_IDLE 1191 ACTIVE
50.250.102.118 73.107.235.45 MM_NO_STATE 1190 ACTIVE (deleted)
 
 

ISR4221#debug crypto isakmp
Crypto ISAKMP debugging is on
ISR4221#
ISR4221#
ISR4221#
ISR4221#term mon
ISR4221#
*Mar 26 15:07:46.955: ISAKMP: (1181):purging node 3040338059
ISR4221#
*Mar 26 15:07:50.025: ISAKMP: (1182):purging node 2511836437
ISR4221#
*Mar 26 15:07:51.818: ISAKMP: (1182):set new node 0 to QM_IDLE
*Mar 26 15:07:51.818: ISAKMP: (1182):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500)
*Mar 26 15:07:51.818: ISAKMP: (1182):sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 26 15:07:51.818: ISAKMP: (1182):beginning Quick Mode exchange, M-ID of 828670928
*Mar 26 15:07:51.830: ISAKMP: (1182):QM Initiator gets spi
*Mar 26 15:07:51.831: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 26 15:07:51.831: ISAKMP: (1182):Sending an IKE IPv4 Packet.
*Mar 26 15:07:51.831: ISAKMP: (1182):Node 828670928, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 26 15:07:51.831: ISAKMP: (1182):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 26 15:07:51.876: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:07:51.876: ISAKMP: (1182):set new node 4149256254 to QM_IDLE
*Mar 26 15:07:51.876: ISAKMP: (1182):processing HASH payload. message ID = 4149256254
*Mar 26 15:07:51.877: ISAKMP: (1182):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3648703813, message ID = 4149256254, sa = 0x80007F7B66C74EB0
ISR4221#
*Mar 26 15:07:51.877: ISAKMP: (1182):deleting spi 3648703813 message ID = 828670928
*Mar 26 15:07:51.877: ISAKMP-ERROR: (1182):deleting node 828670928 error TRUE reason "Delete Larval"
*Mar 26 15:07:51.877: ISAKMP: (1182):deleting node 4149256254 error FALSE reason "Informational (in) state 1"
*Mar 26 15:07:51.877: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 26 15:07:51.877: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISR4221#
*Mar 26 15:07:56.954: ISAKMP: (1181):purging SA., sa=80007F7B718E3100, delme=80007F7B718E3100
ISR4221#
*Mar 26 15:08:02.084: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:02.084: ISAKMP: (1182):set new node 2898857848 to QM_IDLE
*Mar 26 15:08:02.085: ISAKMP: (1182):processing HASH payload. message ID = 2898857848
*Mar 26 15:08:02.085: ISAKMP: (1182):processing DELETE payload. message ID = 2898857848
*Mar 26 15:08:02.085: ISAKMP: (1182):peer does not do paranoid keepalives.
*Mar 26 15:08:02.085: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45)
*Mar 26 15:08:02.085: ISAKMP: (1182):deleting node 2898857848 error FALSE reason "Informational (in) state 1"
*Mar 26 15:08:02.085: ISAKMP: (1182):set new node 2594725701 to QM_IDLE
*Mar 26 15:08:02.085: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 26 15:08:02.086: ISAKMP: (1182):Sending an IKE IPv4 Packet.
*Mar 26 15:08:02.086: ISAKMP: (1182):purging node 2594725701
*Mar 26 15:08:02.086: ISAKMP: (1182):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 26 15:08:02.086: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 26 15:08:02.086: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45)
ISR4221#
*Mar 26 15:08:02.086: ISAKMP: (0):Unlocking peer struct 0x80007F7B724717F0 for isadb_mark_sa_deleted(), count 0
*Mar 26 15:08:02.086: ISAKMP: (0):Deleting peer node by peer_reap for 73.107.235.45: 80007F7B724717F0
*Mar 26 15:08:02.087: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 26 15:08:02.087: ISAKMP: (1182):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 26 15:08:03.094: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (N) NEW SA
*Mar 26 15:08:03.094: ISAKMP: (0):Created a peer struct for 73.107.235.45, peer port 500
*Mar 26 15:08:03.095: ISAKMP: (0):New peer created peer = 0x80007F7B724717F0 peer_handle = 0x8000000080000C4C
*Mar 26 15:08:03.095: ISAKMP: (0):Locking peer struct 0x80007F7B724717F0, refcount 1 for crypto_isakmp_process_block
*Mar 26 15:08:03.095: ISAKMP: (0):local port 500, remote port 500
*Mar 26 15:08:03.095: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F7B718E3100
*Mar 26 15:08:03.095: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 26 15:08:03.095: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 26 15:08:03.095: ISAKMP: (0):processing SA payload. message ID = 0
*Mar 26 15:08:03.095: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.096: ISAKMP: (0):vendor ID is DPD
*Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.096: ISAKMP: (0):processing IKE frag vendor id payload
*Mar 26 15:08:03.096: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
*Mar 26 15:08:03.096: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45
*Mar 26 15:08:03.096: ISAKMP: (0):local preshared key found
*Mar 26 15:08:03.096: ISAKMP: (0):Scanning profiles for xauth ...
*Mar 26 15:08:03.096: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 26 15:08:03.097: ISAKMP: (0): life type in seconds
*Mar 26 15:08:03.097: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 26 15:08:03.097: ISAKMP: (0): encryption 3DES-CBC
*Mar 26 15:08:03.097: ISAKMP: (0): auth pre-share
*Mar 26 15:08:03.097: ISAKMP: (0): hash MD5
*Mar 26 15:08:03.097: ISAKMP: (0): default group 2
*Mar 26 15:08:03.097: ISAKMP: (0):atts are acceptable. Next payload is 0
*Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:actual life: 86400
*Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:life: 0
*Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa vpi_length:4
*Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Mar 26 15:08:03.097: ISAKMP: (0):Returning Actual lifetime: 86400
*Mar 26 15:08:03.098: ISAKMP: (0):Started lifetime timer: 86400.
*Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.102: ISAKMP: (0):vendor ID is DPD
*Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.102: ISAKMP: (0):processing IKE frag vendor id payload
*Mar 26 15:08:03.102: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload
*Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
*Mar 26 15:08:03.102: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 26 15:08:03.103: ISAKMP-PAK: (0):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 26 15:08:03.103: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Mar 26 15:08:03.103: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 26 15:08:03.140: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 26 15:08:03.140: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 26 15:08:03.140: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 26 15:08:03.141: ISAKMP: (0):processing KE payload. message ID = 0
*Mar 26 15:08:03.146: ISAKMP: (0):processing NONCE payload. message ID = 0
*Mar 26 15:08:03.146: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45
*Mar 26 15:08:03.146: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 26 15:08:03.146: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 26 15:08:03.146: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 26 15:08:03.146: ISAKMP: (1183):Sending an IKE IPv4 Packet.
*Mar 26 15:08:03.147: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 26 15:08:03.147: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 26 15:08:03.178: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 26 15:08:03.178: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 26 15:08:03.178: ISAKMP: (1183):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 26 15:08:03.179: ISAKMP: (1183):processing ID payload. message ID = 0
*Mar 26 15:08:03.179: ISAKMP: (1183):ID payload
next-payload : 8
type : 1
*Mar 26 15:08:03.179: ISAKMP: (1183): address : 73.107.235.45
*Mar 26 15:08:03.179: ISAKMP: (1183): protocol : 0
port : 0
length : 12
*Mar 26 15:08:03.179: ISAKMP: (0):peer matches *none* of the profiles
*Mar 26 15:08:03.179: ISAKMP: (1183):processing HASH payload. message ID = 0
*Mar 26 15:08:03.179: ISAKMP: (1183):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x80007F7B718E3100
*Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status:
authenticated
*Mar 26 15:08:03.179: ISAKMP: (1183):SA has been authenticated with 73.107.235.45
*Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status:
authenticated
*Mar 26 15:08:03.179: ISAKMP: (1183):Process initial contact,
bring down existing phase 1 and 2 SA's with local 50.250.102.118 remote 73.107.235.45 remote port 500
*Mar 26 15:08:03.180: ISAKMP: (0):Trying to insert a peer 50.250.102.118/73.107.235.45/500/,
*Mar 26 15:08:03.180: ISAKMP: (0): and inserted successfully 80007F7B724717F0.
*Mar 26 15:08:03.180: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 26 15:08:03.180: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 26 15:08:03.180: ISAKMP: (1183):SA is doing
*Mar 26 15:08:03.180: ISAKMP: (1183):pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 26 15:08:03.180: ISAKMP: (1183):ID payload
next-payload : 8
type : 1
*Mar 26 15:08:03.181: ISAKMP: (1183): address : 50.250.102.118
*Mar 26 15:08:03.181: ISAKMP: (1183): protocol : 17
port : 500
length : 12
*Mar 26 15:08:03.181: ISAKMP: (1183):Total payload length: 12
*Mar 26 15:08:03.181: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 26 15:08:03.181: ISAKMP: (1183):Sending an IKE IPv4 Packet.
*Mar 26 15:08:03.181: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 26 15:08:03.181: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISR4221#
*Mar 26 15:08:03.182: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 26 15:08:03.182: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISR4221#
*Mar 26 15:08:05.155: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:05.155: ISAKMP: (1183):set new node 734805177 to QM_IDLE
*Mar 26 15:08:05.155: ISAKMP: (1183):processing HASH payload. message ID = 734805177
*Mar 26 15:08:05.156: ISAKMP: (1183):processing SA payload. message ID = 734805177
*Mar 26 15:08:05.156: ISAKMP: (1183):Checking IPSec proposal 1
*Mar 26 15:08:05.156: ISAKMP: (1183):transform 1, ESP_3DES
*Mar 26 15:08:05.156: ISAKMP: (1183): attributes in transform:
*Mar 26 15:08:05.156: ISAKMP: (1183): SA life type in seconds
*Mar 26 15:08:05.156: ISAKMP: (1183): SA life duration (basic) of 43200
*Mar 26 15:08:05.156: ISAKMP: (1183): encaps is 1 (Tunnel)
*Mar 26 15:08:05.156: ISAKMP: (1183): authenticator is HMAC-MD5
*Mar 26 15:08:05.156: ISAKMP: (1183):atts are acceptable.
*Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):IPSec policy invalidated proposal with error 1024
*Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45)
*Mar 26 15:08:05.158: ISAKMP: (1183):set new node 3385498750 to QM_IDLE
ISR4221#
*Mar 26 15:08:05.158: ISAKMP: (1183):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 9223512204992471792, message ID = 3385498750
*Mar 26 15:08:05.158: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 26 15:08:05.158: ISAKMP: (1183):Sending an IKE IPv4 Packet.
*Mar 26 15:08:05.158: ISAKMP: (1183):purging node 3385498750
*Mar 26 15:08:05.158: ISAKMP-ERROR: (1183):deleting node 734805177 error TRUE reason "QM rejected"
*Mar 26 15:08:05.159: ISAKMP: (1183):Node 734805177, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 26 15:08:05.159: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_READY
ISR4221#
*Mar 26 15:08:07.164: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:07.165: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet.
*Mar 26 15:08:07.165: ISAKMP: (1183):retransmitting due to retransmit phase 2
*Mar 26 15:08:07.165: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission
ISR4221#
*Mar 26 15:08:11.174: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:11.175: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet.
*Mar 26 15:08:11.175: ISAKMP: (1183):retransmitting due to retransmit phase 2
*Mar 26 15:08:11.175: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission
*Mar 26 15:08:11.441: ISAKMP: (1182):purging node 1730638449
*Mar 26 15:08:11.441: ISAKMP: (1182):purging node 3285571772
ISR4221#
*Mar 26 15:08:19.184: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:19.184: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet.
*Mar 26 15:08:19.185: ISAKMP: (1183):retransmitting due to retransmit phase 2
*Mar 26 15:08:19.185: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission
ISR4221#
*Mar 26 15:08:21.818: ISAKMP: (1183):set new node 0 to QM_IDLE
*Mar 26 15:08:21.818: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500)
*Mar 26 15:08:21.818: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 26 15:08:21.818: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 202785673
*Mar 26 15:08:21.830: ISAKMP: (1183):QM Initiator gets spi
*Mar 26 15:08:21.831: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 26 15:08:21.831: ISAKMP: (1183):Sending an IKE IPv4 Packet.
*Mar 26 15:08:21.831: ISAKMP: (1183):Node 202785673, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 26 15:08:21.831: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 26 15:08:21.864: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:21.864: ISAKMP: (1183):set new node 2965253630 to QM_IDLE
*Mar 26 15:08:21.865: ISAKMP: (1183):processing HASH payload. message ID = 2965253630
*Mar 26 15:08:21.865: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 4178712177, message ID = 2965253630, sa = 0x80007F7B718E3100
ISR4221#
*Mar 26 15:08:21.865: ISAKMP: (1183):deleting spi 4178712177 message ID = 202785673
*Mar 26 15:08:21.865: ISAKMP-ERROR: (1183):deleting node 202785673 error TRUE reason "Delete Larval"
*Mar 26 15:08:21.865: ISAKMP: (1183):deleting node 2965253630 error FALSE reason "Informational (in) state 1"
*Mar 26 15:08:21.865: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 26 15:08:21.865: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISR4221#
*Mar 26 15:08:35.195: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:35.196: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet.
*Mar 26 15:08:35.196: ISAKMP: (1183):retransmitting due to retransmit phase 2
*Mar 26 15:08:35.196: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission
ISR4221#
*Mar 26 15:08:41.878: ISAKMP: (1182):purging node 828670928
*Mar 26 15:08:41.878: ISAKMP: (1182):purging node 4149256254
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#un all
*Mar 26 15:08:52.085: ISAKMP: (1182):purging node 2898857848
*Mar 26 15:08:52.251: ISAKMP: (1183):set new node 0 to QM_IDLE
*Mar 26 15:08:52.251: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500)
*Mar 26 15:08:52.251: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 26 15:08:52.251: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 2615360766
*Mar 26 15:08:52.263: ISAKMP: (1183):QM Initiator gets spi
*Mar 26 15:08:52.264: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 26 15:08:52.264: ISAKMP: (1183):Sending an IKE IPv4 Packet.
*Mar 26 15:08:52.264: ISAKMP: (1183):Node 2615360766, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 26 15:08:52.264: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 26 15:08:52.301: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE
*Mar 26 15:08:52.302: ISAKMP: (1183):set new node 3172844811 to QM_IDLE
*Mar 26 15:08:52.302: ISAKMP: (1183):processing HASH payload. message ID = 3172844811
*Mar 26 15:08:52.302: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 726164641, message ID = 3172844811, sa = 0x80007F7B718E3100
ISR4221#un all
All possible debugging has been turned off
ISR4221#
*Mar 26 15:08:52.302: ISAKMP: (1183):deleting spi 726164641 message ID = 2615360766
*Mar 26 15:08:52.302: ISAKMP-ERROR: (1183):deleting node 2615360766 error TRUE reason "Delete Larval"
*Mar 26 15:08:52.302: ISAKMP: (1183):deleting node 3172844811 error FALSE reason "Informational (in) state 1"
*Mar 26 15:08:52.302: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 26 15:08:52.302: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
#9
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 08:12:04 (permalink)
0
Can you show the fortigate phase2 settngs? I have a hunch you have ofs enabled or something
 
/* cli 
 
show full  vpn ipsec phase2-interface < name>
 
The cisco stuff looks good fwiw but we need to make sure fortios is matching 
 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#10
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 08:50:36 (permalink)
0
Hi Ken
 
Here is the output.
 
config vpn ipsec phase2-interface
edit "TestToCisco"
set phase1name "TestToCisco"
set proposal 3des-md5
set pfs disable
set ipv4-df disable
set replay disable
set auto-negotiate enable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 86400
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
#11
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 09:46:31 (permalink)
0
On the fortigate do you have a fwpolicy for the named phase1 interface? You need a policy and the cfg on the fortigate looks okay.
 
What i see in the debug from cisco is ipsec-sa is failing "phase 2 SA policy not acceptable! " and your phase2 has some issues or I'm thinking a policy is missing on the fortigate. You should be negotiating quad 0s ( 0.0.0.0/0 )  between the two ike-peers
 
You can run diag debug enable and followed with diag debug app ike -1 on the fortios device to look at it's debug.
 
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#12
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:13:01 (permalink)
0
I do believe that I have the policies but again I am new and not sure. I asked this in the first post. I have ZBFW on the Cisco and I know that is not it because I removed it to test and still no joy. I feel its on the forti side. Please see this image to see if this is the correct policy your asking for. 
 
Also the forti post was the diag you wanted. I can do it again. No problem. I am not sure what the Phase1 interface is on this box because it names everything and I am used to numbers. I see the name is the same for both phase interfaces.
 
Is this interface in Network >>> Interfaces ? when I expand my Wan1 interface I see it and it is a Tunnel Interface and it has not been addressed meaning no IP addressing

Attached Image(s)

#13
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:24:13 (permalink)
0
Here is the debug. What is the pfs there (perfect forward secret) but I have this turned off on both boxes. It is seeing pfs DH 5 and complaining about it. 
 
FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8572:TestToCisco:3438: quick-mode negotiation failed due to retry timeout
ike 0:TestToCisco:8572: send IKE SA delete f0e854d883317db0/1318bf0cd9f208a7
ike 0:TestToCisco:8572: enc F0E854D883317DB01318BF0CD9F208A70810050197DB750C0000004C0C000014FF385C8824EED81FBDDFEF5B440F97940000001C0000000101100001F0E854D883317DB013
18BF0CD9F208A7
ike 0:TestToCisco:8572: out F0E854D883317DB01318BF0CD9F208A70810050197DB750C00000054AD220909ACEF3C79F312786B3ED78D7D2699BAC97BC7FC5F5D636DB58935CF783C8466C2960BD7BB16
1F00F867C99A26E73611627C76E234
ike 0:TestToCisco:8572: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=f0e854d883317db0/1318bf0cd9f208a7:97db750c
ike 0:TestToCisco: connection expiring due to phase1 down
ike 0:TestToCisco: deleting
ike 0:TestToCisco: deleted
ike 0:TestToCisco: set oper down
ike 0:TestToCisco: schedule auto-negotiate
ike 0:TestToCisco: carrier down
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=f0e854d883317db0/1318bf0cd9f208a7:12bda5d9 len=84
ike 0: in F0E854D883317DB01318BF0CD9F208A70810050112BDA5D90000005492B55C37D5E76EB34B063C5EE3F9485E484369CEF3B40B2EB99936221332329200E1A68482151653E12C57EE467997DA4ADA
CE7C2386DF19
ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie f0e854d883317db0/1318bf0cd9f208a7, drop
ike 0:TestToCisco: auto-negotiate connection
ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500.
ike 0:TestToCisco:8573: initiator: main mode is sending 1st message...
ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/0000000000000000
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080
0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014
8299031757A36082C6A621DE00000000
ike 0:TestToCisco:8573: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=66aa5be8f78dfbef/0000000000000000
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=84
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C
000400015180
ike 0:TestToCisco:8573: initiator: main mode get 1st response...
ike 0:TestToCisco:8573: negotiation result
ike 0:TestToCisco:8573: proposal id = 1:
ike 0:TestToCisco:8573: protocol id = ISAKMP:
ike 0:TestToCisco:8573: trans_id = KEY_IKE.
ike 0:TestToCisco:8573: encapsulation = IKE/none
ike 0:TestToCisco:8573: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:TestToCisco:8573: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:TestToCisco:8573: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:TestToCisco:8573: type=OAKLEY_GROUP, val=MODP1024.
ike 0:TestToCisco:8573: ISAKMP SA lifetime=86400
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000000B40A000084FB24F893C08A94E3B2053D7FA8F2FCD9BAAD6A36CE2FE8559800742A3AFDAE6451EDC4F53C
50A752147D66BB9E86455922AD8B83B199F7550293D349529F04B813285416674D72A4CBD5CFD4C221366CF6C33B231E3A89ADBC49EB6D8ADD4AD90886C63D67B56F3E60A989927E8FB3AFFB0D28B6A72945E7
01848F9D4ACF3B59000000144F0A3FE02844FDFF8BD7749115F04E13
ike 0:TestToCisco:8573: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=66aa5be8f78dfbef/1318bf0ccc64d6ee
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=256
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000001000A00008495ECFBAEE83CEB62757515D24E40D5E3D2FA3AAD9B176D53E9794B7DCB213C69EB2921D57933F20E4DF7A864E080
C4FB0D95B8EE999B0A5A27552199DC3F9BB2B0E2300503E527B9FEA9828A3D23946B97CD847CEE05D8639767D6169273ACCB1A90B179C21B80BAF267AABBBE8BE7CA2501C56F877F2D3E14BE8E03432BD0500D
000018887A54F5AD41F7471C5FDE11E78434464C1F22C40D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811CC65D6EE3631E5E0BC1FA0E8
0000000C09002689DFD6B712
ike 0:TestToCisco:8573: initiator: main mode get 2nd response...
ike 0:TestToCisco:8573: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:TestToCisco:8573: peer supports UNITY
ike 0:TestToCisco:8573: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:TestToCisco:8573: VID unknown (16): E6DF1811CC65D6EE3631E5E0BC1FA0E8
ike 0:TestToCisco:8573: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:TestToCisco:8573: nat unavailable
ike 0:TestToCisco:8573: ISAKMP SA 66aa5be8f78dfbef/1318bf0ccc64d6ee key 24:2C0150064A4CD7322CE6E9448D1FFCA348ED98A81ABA30F8
ike 0:TestToCisco:8573: add INITIAL-CONTACT
ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000580800000C01000000496BEB2D0B000014A5457FD19CDE7EB9C5207AAF9E3CA0BC0000001C0000000101
10600266AA5BE8F78DFBEF1318BF0CCC64D6EE
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE05100201000000000000005C102EB9943E16C2A68BCF5752B0FE347977E370A6EEBB5C14596EA11B1F54067AEC4045D678D73EFE0E
70A9505AFC765A2AE410AD99F35FD5E07495E91A9F76C0
ike 0:TestToCisco:8573: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=66aa5be8f78dfbef/1318bf0ccc64d6ee
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=68
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE051002010000000000000044A1E46C50AFF8188B38C5B2A80DC3D2CE371C0EFBB736FFEB3EC3582CCF257D2FBA5F998F506C9177
ike 0:TestToCisco:8573: initiator: main mode get 3rd response...
ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000440800000C011101F432FA6676000000146D5B653C86477F31BB49A5207C7D36460000000000000000
ike 0:TestToCisco:8573: peer identifier IPV4_ADDR 50.250.102.118
ike 0:TestToCisco:8573: PSK authentication succeeded
ike 0:TestToCisco:8573: authentication OK
ike 0:TestToCisco:8573: established IKE SA 66aa5be8f78dfbef/1318bf0ccc64d6ee
ike 0:TestToCisco: set oper up
ike 0:TestToCisco: schedule auto-negotiate
ike 0:TestToCisco:8573: no pending Quick-Mode negotiations
ike 0:TestToCisco: carrier up
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0:TestToCisco:8573:TestToCisco:3444: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D00000098010000145F0249249F9B99FE0CC26053C6EAB9DF0A0000340000000100000001000000280103040187
72CD710000001C0103000080010001000200040001518080040001800500010500001425C32DB712AD364452BACE4F0B650AF70500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271
C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363
193184E1
ike 0:TestToCisco:8573: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:9552fa2c len=84
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C00000054D5085DE04D866D61E727FFFEB7B6E3BDFDC80DC3F60DD6B980F0895725D5598417F049DF9813F64DB933B2693AFE49EF7382
6706CD2C1AE6
ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C000000540B000014E08C9F1E788AEF438FFD1611DC1088540000001C000000010304000E8772CD710A00003400
000001000000010000000000000000
ike 0:TestToCisco:8573: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8573:TestToCisco:3444: IPsec SPI 8772cd71 match
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271
C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363
193184E1
ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:c479cc59 len=372
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC5900000174E8213487E8EF8B1A227AA9294C0EFBB89396EBA8F99D9D1F4313EE657B8EB96D52A3ABB9034DFF39C83231A98738C5EA51F9
78380FE274F71288E8649F7FE98B8129AAF2D6D17DB37FFE5379CA559DEE691A787919E1B80CBCF40433B3F51F29B6B73D7076FE18B1473FB22447A8AD81B9AE20E83467E63EBEA75BC7F867E7CE9790A6ABA8
D86D6DF7B3C25BA750BB6E0F6F46A785F72477F6650A0F610C0276E2C40253B3B2FEE8B05A178D3700029A168AB6BEA4CF8996460D8041CD8E95C14D492F0300EA7C3A64533A55B1D1DFA29E396451BF58486A
D5002CB7AF0D69388F6BEF3185E0C05FE7E2B42E82B0C7D169B6A84E0B4E1D2C59AB2E9FA1A3458EAFA9D30B2A598043FF91A449A6D817EB19F5A61084E6F8CD5F31062DC9FA31003653ACD27997C8C47B17DE
0D6C22401FC3C9FB7141FC0EBD91DD4E058A0426228E3E46D04B468C008C4511192183F34D3CC789B58658044E
ike 0:TestToCisco:8573:3445: responder received first quick-mode message
ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC590000017401000014BB99C78729A118469C38A4858FC63A300A00004000000001000000010000003401030401D4
DC82C20000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001887269BAC709943C1DDFD3EE77CDCB237513E464A050000C4FEF76ECC4278965467DD8B28
874BF68B96C035AD58F3C231230CF70792EF3C2977B2EB6F1307E522FD309352027D578429776413AA993524C2FAFAAE4BC3E894C14E335C8FEDA43F4D739A8E3D371F8DD414485DEFC814995C47775A07B4C2
246DC4B7336BBA509AC791C648AED4AC2FB665960F6CF0798D800BFC1078B8BE7562109788944ED7D12E96721164879277DD4C29B449027596B0BBA7DBB6519E0AFCE83E1C7BC2762978B74AC24D6A39C53F53
932567DD455728CB876F694C95B705000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8573:3445: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8573:TestToCisco:3445: trying
ike 0:TestToCisco:8573:TestToCisco:3445: matched phase2
ike 0:TestToCisco:8573:TestToCisco:3445: autokey
ike 0:TestToCisco:8573:TestToCisco:3445: my proposal:
ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1:
ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES
ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8573:TestToCisco:3445: incoming proposal:
ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1:
ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8573:TestToCisco:3445: PFS DH group = 5
ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES
ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8573:TestToCisco:3445: did not expect PFS DH group, received DH group 5
ike 0:TestToCisco:8573:TestToCisco:3445: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3445: no SA proposal chosen
ike 0:TestToCisco:3445: info_send_n2, type 14, peer SPI d4dc82c2
ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D4000000400B0000148DEAA2A2AFFC09DADEF9C80D68F0C55700000010000000010304000ED4DC82C2
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D40000004463FD36A88CCDCC143BDC2AAC9BB09A20C48A31C8E7B3D84A587FCF8B8F41DABB14C89823E8E2F730
ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:677915d4
ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271
C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363
193184E1
ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271
C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363
193184E1
ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271
C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363
193184E1
ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:21b5991f len=372
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174AB410BA7C054479484CBF91A8B63DA561AB7DE1D64E974C26CC483E34BD3D55BED6A04D6398E44CF69D66B4B531DD9E211B8
63D917E89D981AD281B96FCBC3EBED2DC35F019F2C0C9DB0AA4917CDC6CE8BE59B4E123C4904F5A057E390232BFAA6C9F5D4C1504CC67575B13F1E8E118B157AE183AE1939567FAD618487DD352BC8EDC0D9CF
48EEADA7767E5DBFB1D00493898BE72A78290CED356369A009CB59DA3792B67EDC3455BE61A23BC62F6D24BB0C04BA64A7C0C9C31BE6FB31D35E91BB9AC3E7B0134FF641DA60EE697DAE36DC29530473C15D0F
B47C69DA51BC1B95AC2D6114659CD5A6E4A450E0F5EB2D44C9B4E4EF2E29DEE2F9396AEBD18248B8CC544AE089911B8712A2CC200255D7BED8F7F3B84A9C5D5D807E924DF6BBEFE38DBCD2B8C44648F5915B4B
03186E95B154321AF24130BFAC221921869499BBF4A5379C44D21FAB16C28E38684FAF03627C4475DD45BE058D
ike 0:TestToCisco:8573:3447: responder received first quick-mode message
ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174010000145C7911332A81E2E1DD1397DEFD3E3E320A0000400000000100000001000000340103040190
9DF0950000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018F5A63B69A58EE2011AE4FA458EBF04D94445E94D050000C476A09A9E93915F3F619A9786
423E1E5CE3428DF1287635EA80708D903C76DABE21B6FA3FDC93F5095352469C86ACC84D84F38BB825FF294E9859639CF89D2D713FFFA92F66E9F88CA423BB8A23AEB18D3E9062B48A2A1FC733D9542271004B
33DE7DCC210995F1E9448B4F048C10F08D48D05A82353AD4C0E4EDFFD8A0234B537BDEE9F753849B939559623EF1B904C86600042C93CA4B5DC2D4253C361EBBAC59EAD08049EFEAAA749FA8E4BDC21D2F6A92
FD4CAD804DB7E921EAADE949049805000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8573:3447: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8573:TestToCisco:3447: trying
ike 0:TestToCisco:8573:TestToCisco:3447: matched phase2
ike 0:TestToCisco:8573:TestToCisco:3447: autokey
ike 0:TestToCisco:8573:TestToCisco:3447: my proposal:
ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1:
ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES
ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8573:TestToCisco:3447: incoming proposal:
ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1:
ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8573:TestToCisco:3447: PFS DH group = 5
ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES
ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8573:TestToCisco:3447: did not expect PFS DH group, received DH group 5
ike 0:TestToCisco:8573:TestToCisco:3447: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3447: no SA proposal chosen
ike 0:TestToCisco:3447: info_send_n2, type 14, peer SPI 909df095
ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A962000000400B00001471115A746F4C2B42843CF9D72CA4A2C200000010000000010304000E909DF095
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A96200000044F99061C1B3FA83EA359824A8FE435074EDD91EB2BBA641BC259B457A2607E39DBD52D5BDC0564D74
ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1240a962
ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8573:TestToCisco:3444: quick-mode negotiation failed due to retry timeout
ike 0:TestToCisco:8573: send IKE SA delete 66aa5be8f78dfbef/1318bf0ccc64d6ee
ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E00000004C0C000014094B7E21C5269B2435A6D734AB9012C90000001C000000010110000166AA5BE8F78DFBEF13
18BF0CCC64D6EE
ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E0000000547054A36EDFF3CA6245B51A516843832D6002275769063E6E9E321CBE205540369B94560C47B459E401
D200DB26AE219C3E5F26EBB6BE086B
ike 0:TestToCisco:8573: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:ce3301e0
ike 0:TestToCisco: connection expiring due to phase1 down
ike 0:TestToCisco: deleting
ike 0:TestToCisco: deleted
ike 0:TestToCisco: set oper down
ike 0:TestToCisco: schedule auto-negotiate
ike 0:TestToCisco: carrier down
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:35e73c21 len=84
ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810050135E73C2100000054DF4B3304C7C2434B5837EFCEDBF84F67E702455632DD195DB37B227B82CD644CDE9F9AF9FCE6FCAA9660F147273FD4930F35
57B113087728
ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee, drop
ike 0:TestToCisco: auto-negotiate connection
ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500.
ike 0:TestToCisco:8574: initiator: main mode is sending 1st message...
ike 0:TestToCisco:8574: cookie d93c289577b4b469/0000000000000000
ike 0:TestToCisco:8574: out D93C289577B4B46900000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080
0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014
8299031757A36082C6A621DE00000000
ike 0:TestToCisco:8574: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=d93c289577b4b469/0000000000000000
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=84
ike 0: in D93C289577B4B4691318BF0CC55043C80110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C
000400015180
ike 0:TestToCisco:8574: initiator: main mode get 1st response...
ike 0:TestToCisco:8574: negotiation result
ike 0:TestToCisco:8574: proposal id = 1:
ike 0:TestToCisco:8574: protocol id = ISAKMP:
ike 0:TestToCisco:8574: trans_id = KEY_IKE.
ike 0:TestToCisco:8574: encapsulation = IKE/none
ike 0:TestToCisco:8574: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:TestToCisco:8574: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:TestToCisco:8574: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:TestToCisco:8574: type=OAKLEY_GROUP, val=MODP1024.
ike 0:TestToCisco:8574: ISAKMP SA lifetime=86400
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80410020000000000000000B40A000084021E65EB3995D812BE5AB4CACDEBB31687628B17781089143A1781AC522D3CCB860CC05C87
8786A6966628A077BE7AF828031873FA6A10A5A2E3DCD893D1AF5B691680C03CFEB5A2DB51534C0549484631A8527A49F8DE607C9718BA6789F97E84A1D1E10677E4DD1E250FC6FFF895F49F215FF598D0877F
3582DC09B9A71A6C00000014F6E5E785ECD1390A7BB892051CE95CB3
ike 0:TestToCisco:8574: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=d93c289577b4b469/1318bf0cc55043c8
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=256
ike 0: in D93C289577B4B4691318BF0CC55043C80410020000000000000001000A000084C487AA6E4ED0D61928848C6539D96FB65B8497EF7CB9AC9F08F7A5C2E60816833BC5F8F7DE47EAFB2313C0778D6C
F90EBFB4C55F644B76ED260C3172D49612D3F6F12B653508B93A65E7D49E136E614540B4965AFDF712627D0EBC9B98966D4043BBEB283CC0B316219151FFF2257182226284BFBC0EA7E1C8E651BBC7574EE10D
000018AFBAC2537E89DD472E99FC916DF2815986A8A0770D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811C55143C8D36FAC24D2C348F6
0000000C09002689DFD6B712
ike 0:TestToCisco:8574: initiator: main mode get 2nd response...
ike 0:TestToCisco:8574: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:TestToCisco:8574: peer supports UNITY
ike 0:TestToCisco:8574: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:TestToCisco:8574: VID unknown (16): E6DF1811C55143C8D36FAC24D2C348F6
ike 0:TestToCisco:8574: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:TestToCisco:8574: nat unavailable
ike 0:TestToCisco:8574: ISAKMP SA d93c289577b4b469/1318bf0cc55043c8 key 24:84AC9D87C7D4074CE8C4E393FE66DED0340F58A168472F9E
ike 0:TestToCisco:8574: add INITIAL-CONTACT
ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80510020100000000000000580800000C01000000496BEB2D0B000014384400BD711DEE00EC3202800D46F0A60000001C0000000101
106002D93C289577B4B4691318BF0CC55043C8
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C805100201000000000000005CBC89E799A7A00BCE5AABAA5E6F041C4175344BA53557699F5A5ECAC6B10A0924B66C1E478323EDE80E
34C9D3DE9E742DC18B4E728EE286410D9510A8C5104E91
ike 0:TestToCisco:8574: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=d93c289577b4b469/1318bf0cc55043c8
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=68
ike 0: in D93C289577B4B4691318BF0CC55043C80510020100000000000000446857DF1F98793AFB9CE0D7BCC0E7B95079C6875DC6798DDCCB20221430D8DD3D6851C6A78917C4BE
ike 0:TestToCisco:8574: initiator: main mode get 3rd response...
ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80510020100000000000000440800000C011101F432FA6676000000147A3D384D135D831E5E276BF5D709121B0000000000000000
ike 0:TestToCisco:8574: peer identifier IPV4_ADDR 50.250.102.118
ike 0:TestToCisco:8574: PSK authentication succeeded
ike 0:TestToCisco:8574: authentication OK
ike 0:TestToCisco:8574: established IKE SA d93c289577b4b469/1318bf0cc55043c8
ike 0:TestToCisco: set oper up
ike 0:TestToCisco: schedule auto-negotiate
ike 0:TestToCisco:8574: no pending Quick-Mode negotiations
ike 0:TestToCisco: carrier up
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:96a5bc24 len=372
ike 0: in D93C289577B4B4691318BF0CC55043C80810200196A5BC240000017452C36F66D85C816EC34FE7B25D02AB4FCCDE13B234D92EED07C78B54F19C746C3D22890F9DAF95228015E4ECBAC5A45A1FFB
0E6FB9801932355E4D4FD1C51119C3410B0050DA44EA13EA00AABA6CA19EAF9D7A273186FCDB09055A0ADB82692908BC743CBAE2EA9E4C4C15326E91FAB7101E0702C6D4114FAA48DB304D4EC4329CFA861BA6
DE6504859868700F9F91D73A9DADEE2E1B87ADAD0D648F44792CEB92B973CFE8D9D1B6567193A14EEB04DB25A1BF182373E29AA01A20C62DA11F51C044489A381DBB11573A440285A26DC03CB43AC36784604D
1CDDDC7F6C79225211F67F77B3031F41649922AF7EBEB6F94972C04A0EF0D0A0011AABC8949AF93FDA0BE6A63FE3D36C2F90CAD8EA3728ED536A2D0B6A1E750F989645ECE052C5B25BF5C64D794AAD7C6F9F07
32D9B44DF92A98455D4E71403388086EB1F79880B202D49476EA3B068E36FADD3BDC9D9AFBC6B128D2FEDAB4A8
ike 0:TestToCisco:8574:3450: responder received first quick-mode message
ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80810200196A5BC2400000174010000149B76A5508F72291111B34F73C201E4DC0A0000400000000100000001000000340103040153
858A910000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018370676FEB284DB910AD5C577095297C41A9E8B64050000C4DDE36922B26EB54C972D4D2C
DDED574F996F754ACF1A60DA9D79D7BA44B4146999F278A3A23AA0FD8776B8822D87F1519D044DC3F94EB584A69E492148C64BFC518F33E37C562CD76983F72DB2B0D993863E03B28C1D671686746B3613109A
65525A0DBFA4E7F9D3996DE6BD71C6248449E2E1E932D77503357C4E3E85E41E986316CD18E7BF42F3354696687C5C486CC73A16244E9CFE092D6CEFAC2F9EF8D1B18E80A21FD90C5A93031B0761A37F7C54D7
7FC50AEE95F822E57A5474869DBB05000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8574:3450: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8574:TestToCisco:3450: trying
ike 0:TestToCisco:8574:TestToCisco:3450: matched phase2
ike 0:TestToCisco:8574:TestToCisco:3450: autokey
ike 0:TestToCisco:8574:TestToCisco:3450: my proposal:
ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1:
ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES
ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8574:TestToCisco:3450: incoming proposal:
ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1:
ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8574:TestToCisco:3450: PFS DH group = 5
ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES
ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8574:TestToCisco:3450: did not expect PFS DH group, received DH group 5
ike 0:TestToCisco:8574:TestToCisco:3450: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3450: no SA proposal chosen
ike 0:TestToCisco:3450: info_send_n2, type 14, peer SPI 53858a91
ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C808100501654773E0000000400B000014DEB121223C139BA6C711F17BD8DE3D1900000010000000010304000E53858A91
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C808100501654773E0000000440D77896871072EB246F5124A22C7E4CA4C2A3818552C9216A9D8DB0F9BAE4D1CD6C5DADAFE2D626D
ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:654773e0
ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating
ike 0:TestToCisco:8574: cookie d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0:TestToCisco:8574:TestToCisco:3452: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810200163E0DE5F000000980100001412E2DA1F974566E666B4EF99226AF92A0A0000340000000100000001000000280103040187
72CD720000001C0103000080010001000200040001518080040001800500010500001460FD41AAA6586F1C39EAD374D5C18A420500001004000000000000000000000000000010040000000000000000000000
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5
04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0
536D2E29
ike 0:TestToCisco:8574: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Informational id=d93c289577b4b469/1318bf0cc55043c8:a15eece1 len=84
ike 0: in D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000548C319BFB090223A806ED597CFF96BAEE6357B41B61DEB361954F9580B346F4D09C6D140BF363EA503C0D19A66BDED2FD77A0
F0A0C3C988E4
ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000540B00001483A94DF8AFEB1722ECCDB01E1030D3620000001C000000010304000E8772CD720A00003400
000001000000010000000000000000
ike 0:TestToCisco:8574: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:TestToCisco:8574:TestToCisco:3452: IPsec SPI 8772cd72 match
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5
04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0
536D2E29
ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5
04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0
536D2E29
ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5
04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0
536D2E29
ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5
04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0
536D2E29
ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f
ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0
ike 0:TestToCisco:TestToCisco: using existing connection
ike 0:TestToCisco:TestToCisco: config found
ike 0:TestToCisco: request is on the queue
ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7....
ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:1563580e len=372
ike 0: in D93C289577B4B4691318BF0CC55043C8081020011563580E0000017402F4684E4D9F4757767A021DF28A811C955253736B0341024BF52604E25667F827283EEBDFE570F27E854CF2C10CF62D225E
7A249ADAC723259AC3596775E01DB3EB856BF8DB2AFFBBB575FDEC102D3F07EE86B63951ABB25E52CC533BD42D1D3AF3B24452D115084BD38725DD4F26071E46D21A9CFD7032A7688E24C0EB8D686ED0A058D4
F1F63EF62138ABE9C40A0BAEE1CA1D7260F0B0F6F0E567964016FF6517BCD1C051F50CE8DCFC98E14B4A2329BEFE6359F2569A1CD4D54DB226E5DCD7E5CA6B76162A41AA8B0AC0584732A93907F2B4490044A9
E1509DEC1568460D693D5FFD82BCBAE9A85E47D06A3BDE74F3498B1441A5DA06C62130D93DD6BA01EE57B1E905576F86FCA2983F9DAD01D9B49350D3BDA8D23868589344B8DDEA32A6410261B7B7DE700F59A4
C33214855B9027C4D3D87A846ABE9BABD5644CCFF08A1A3BD68BD2DB265F98D2ACD9472E78D40E650C8CA881F3
ike 0:TestToCisco:8574:3453: responder received first quick-mode message
ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C8081020011563580E0000017401000014BD1EE500686ADC3F8DB53ECA0E523DAD0A00004000000001000000010000003401030401E5
7BC5190000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018957AEEFC4DD6620143FE2FE89EF8EF350A865A8D050000C4AF634A4AEF91C635109985CA
6E32289AC4951C1B146DE8D33713DBEC89A1B578409018F3E7631235A6C6B2BBCCE77F79F73C48C4E2C60811FBFA39F7A778EFC5E5DDA15C36F17377A923304E26B6176C5FC7624D4E502DFD7D13423A5D05AD
CE84967DF37B5E572FC027FC45FAA9A4303D2DE7ECEA4C7A94430D99F0855BC394E882B99B7580D856E9127882F8E34CD2BF65DB8BDB8ED2EF9904BA7F9A2B0E2319DED5E67798CBEF3F7860A467C96DD8399F
6B1660919BE06465B6EC80855B7C05000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:TestToCisco:8574:3453: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:TestToCisco:8574:TestToCisco:3453: trying
ike 0:TestToCisco:8574:TestToCisco:3453: matched phase2
ike 0:TestToCisco:8574:TestToCisco:3453: autokey
ike 0:TestToCisco:8574:TestToCisco:3453: my proposal:
ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1:
ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES
ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8574:TestToCisco:3453: incoming proposal:
ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1:
ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP:
ike 0:TestToCisco:8574:TestToCisco:3453: PFS DH group = 5
ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES
ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5
ike 0:TestToCisco:8574:TestToCisco:3453: did not expect PFS DH group, received DH group 5
ike 0:TestToCisco:8574:TestToCisco:3453: negotiation failure
ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3453: no SA proposal chosen
ike 0:TestToCisco:3453: info_send_n2, type 14, peer SPI e57bc519
ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000400B00001442E6AB3B156C5D2ABF37A7FD5C53B7CA00000010000000010304000EE57BC519
ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000444A3316F97F61C40377D2CFC815D02EE5F1762F427008D84063C6ADA2247C867AE8F7B3FFA05C45AA
ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:81f6b68e
ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder
 
 
 
Thank you for the help 
 
#14
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:31:12 (permalink)
0
 
Cisco still complaining about phase 2. here is latest debug on p1 errors
 

ISR4221#debug crypto isakmp error
Crypto ISAKMP Error debugging is on
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
ISR4221#
*Mar 26 17:49:40.105: ISAKMP-ERROR: (1332):deleting node 773216203 error TRUE reason "Delete Larva l"
ISR4221#
*Mar 26 17:50:06.187: ISAKMP-ERROR: (1333):IPSec policy invalidated proposal with error 1024
*Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45)
*Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):deleting node 1257642978 error TRUE reason "QM rejected"
ISR4221#
*Mar 26 17:50:10.097: ISAKMP-ERROR: (1333):deleting node 921661237 error TRUE reason "Delete Larval"
ISR4221#
*Mar 26 17:50:40.530: ISAKMP-ERROR: (1333):deleting node 131420882 error TRUE reason "Delete Larval"
ISR4221#
#15
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:48:23 (permalink)
0
humor us.
 
enable pfs in your fortios 
 
config vpn ipsec phase2-interface
edit < blah blah >
 
set pfs enable
set dhgrp 2 5 
end
 
and then do a 
 
diag vpn ike gateway flush < phase1 name >
# wait 10 sec
diag vpn ike gateway list
diag vpn tunnel list
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#16
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:59:44 (permalink)
0
 
 
Here it is 
 
 
FORTIGATE # diag vpn ike gateway list
vd: root/0
name: TestToCisco
version: 1
interface: wan1 7
addr: 73.107.235.45:500 -> 50.250.102.118:500
created: 25s ago
IKE SA: created 1/1 established 1/1 time 100/100/100 ms
IPsec SA: created 0/6
id/spi: 8607 bcc8b33115c5a0bc/1318bf0cdff3744c
direction: initiator
status: established 25-25s ago = 100ms
proposal: 3des-md5
key: ebbb43f89ef9f987-bbffde5beb92dcf7-2b220ff7ec708a33
lifetime/rekey: 86400/86074
DPD sent/recv: 00000000/00000000
 
 
 
 
FORTIGATE # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=TestToCisco ver=1 serial=2 73.107.235.45:0->50.250.102.118:0 dst_mtu=0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=9 ilast=55 olast=55 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=TestToCisco proto=0 sa=0 ref=2 serial=7 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
run_tally=1
#17
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 11:12:42 (permalink)
0
Tunnel just came up! Don't know why?
#18
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/27 18:23:17 (permalink)
0
So waspfs enabled or not ? What does your "show crypto ipsec sa" show?
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#19
mrmadgig
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/24 17:30:57
  • Status: offline
Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/28 06:48:33 (permalink)
0
Hello Ken
 
Yes it was, but I don't have the Cisco coded for pfs. 
 

crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set security-association lifetime seconds 86400
set transform-set TS
<I did have pfs here before> but I removed it
 
ISR4221#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 50.250.102.118
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 73.107.235.45 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 17433, #pkts encrypt: 17433, #pkts digest: 17433
#pkts decaps: 20661, #pkts decrypt: 20661, #pkts verify: 20661
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.250.102.118, remote crypto endpt.: 73.107.235.45
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 /0/0
current outbound spi: 0x8772CE32(2272448050)
PFS (Y/N): Y, DH group: group5 <<<<<<<<<<<Shows on here though??? Weird 
inbound esp sas:
spi: 0x993F646F(2571068527)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2099, flow_id: ESG:99, sibling_flags FFFFFFFF80004048, crypto m ap: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607971/2649)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8772CE32(2272448050)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2100, flow_id: ESG:100, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607982/2649)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
 
#20
Jump to:
© 2021 APG vNext Commercial Version 5.5