Site To Site VPN between Cisco 4421 and Fortigate 100F

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Site To Site VPN between Cisco 4421 and Fortigate 100F

Author Post Essentials Only Full Version
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline 2021/03/24 17:40:51 (permalink) 0 Site To Site VPN between Cisco 4421 and Fortigate 100F Hello Everyone new here New to FortiGate also. I am having a major issue getting a site to site VPN up but first I would like to tell me how do you ping the other gateway from the Forti CLI? I see ping option but I don't get it execute ping-options source 10.10.111.254 10.222.221.16 command parse error before '10.222.221.16' Command fail. Return code -61 How do you write this syntax out completely to make it work? Do you need to open ports in the firewall like Cisco e.g ESP, IKE etc? before running the VPN wizard or custom? I cannot get phase 1 one to come up. Thanks #1 FortiMail 19 Replies Related Threads
Toshi Esumi Expert Member Total Posts : 2526 Scores: 241 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/24 21:01:31 (permalink) 0 Just like Cisco, use '?' for the options in any command lines, then you would see like below: fg50e-utm (root) # exe ping-o source 10.10.111.254 ? <Enter> So no further options are taken after the source IP because this command sets a specific IP for any pinging as its source. It takes only <Enter> after the source IP. Then you can run actual ping command. My ping can't get any response because your source IP doesn't exist on my FG50E. Also even if exists, it's not allowed by any policies. fg50e-utm (root) # exe ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes ^C --- 4.2.2.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss For IPsec vpn debugging, you eventually need to learn how to run "ike debugging" explained in this KB: https://kb.fortinet.com/k....do?externalID=FD46611 It's same as Cisco's "debug crypto xxx". So you can see what's failing during negotiations. #2
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 08:26:58 (permalink) 0 Thank you Yes I did use the But I didn't understand that you had to hit enter and then execute another ping. Nowhere does it say that. Thank you for the link. I will use this. #3
Toshi Esumi Expert Member Total Posts : 2526 Scores: 241 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 09:13:33 (permalink) 0 I have to admit FTNT's documentation is not perfect for many users. But once you start using them, you can understand why they built those commands in the particular ways. It's just different from Cisco IOS, or others. In the CLI document for "ping-option", it says "Use this command to *configure* *behavior of ping*." Most people would understand It doesn't execute "ping" with this command. https://docs.fortinet.com/document/fortimail/6.4.0/cli-reference/936917/ping-option post edited by Toshi Esumi - 2021/03/25 09:19:28 #4
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 12:57:59 (permalink) 0 I see what you mean but this is vague. I knew that also but it doesn't say you need to run another complete command to get the ping to work eg. cisco#ping 10.10.10.111.254 source 10.10.111.222.254 repeat etc... ok now FGT execute (why even say this??? ping-option source <ip> now enter? it goes blank to another command line that is NOT intuitive. It feels as if you accomplished nothing. WTF FGT# execute ping-option source x.x.x.x enter now right back at the beginning with flashing cursor FGT#_ What the hell happened? Ok I see?? I gotta guess that it need another 400 characters to ping something No I disagree that most new people would know. anyhow thanks I appreciate it. Can you please tell me on the FortiGate side what the equivalent of these are on the Tunnel custom config crypto ipsec transform-set TestSet esp-3des esp-md5-hmac mode tunnel Is it just 3des and Md5? Thank you #5
Toshi Esumi Expert Member Total Posts : 2526 Scores: 241 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/25 17:31:27 (permalink) 0 Once you set the "poing-options source", unlike Cisco, you don't have to type the same "so x.x.x.x" when you make multiple pingings. Until you change the option again. The same goes with "traceroute-opotions". That's an advantage. Either phase 1 or 2 config, when you hit '?' after "set proposal" you can see all options. It's self-explanatory. xxx-fg1 (Phase1_Name) # set proposal ? des-md5 des-md5 des-sha1 des-sha1 des-sha256 des-sha256 des-sha384 des-sha384 des-sha512 des-sha512 3des-md5 3des-md5 3des-sha1 3des-sha1 3des-sha256 3des-sha256 3des-sha384 3des-sha384 3des-sha512 3des-sha512 aes128-md5 aes128-md5 aes128-sha1 aes128-sha1 aes128-sha256 aes128-sha256 aes128-sha384 aes128-sha384 aes128-sha512 aes128-sha512 aes128gcm-prfsha1 aes128gcm-prfsha1 aes128gcm-prfsha256 aes128gcm-prfsha256 aes128gcm-prfsha384 aes128gcm-prfsha384 aes128gcm-prfsha512 aes128gcm-prfsha512 aes192-md5 aes192-md5 aes192-sha1 aes192-sha1 aes192-sha256 aes192-sha256 aes192-sha384 aes192-sha384 aes192-sha512 aes192-sha512 aes256-md5 aes256-md5 aes256-sha1 aes256-sha1 aes256-sha256 aes256-sha256 aes256-sha384 aes256-sha384 aes256-sha512 aes256-sha512 aes256gcm-prfsha1 aes256gcm-prfsha1 aes256gcm-prfsha256 aes256gcm-prfsha256 aes256gcm-prfsha384 aes256gcm-prfsha384 aes256gcm-prfsha512 aes256gcm-prfsha512 chacha20poly1305-prfsha1 chacha20poly1305-prfsha1 chacha20poly1305-prfsha256 chacha20poly1305-prfsha256 chacha20poly1305-prfsha384 chacha20poly1305-prfsha384 chacha20poly1305-prfsha512 chacha20poly1305-prfsha512 #6
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:04:58 (permalink) 0 Now I see... Yes I agree that is an advantage! don't have to retype same thing over again. Ok I have been trying for 4 days to get Phase 1 tunnel up with no success. I have only created VPN with Cisco to Cisco in the past and FTG to FGT. I realize this is a ridiculous amount of time t do this but is is a learning process for me. Please forgive me for some of the silly questions. I was trying to see the encryption and authentication in the GUI so I never saw the nice command line you showed me thank you. Ok here is the silly question You have two column in your command line I only see the 3des-MD5 and you highlighted them does this mean it is a given that the esp is just not necessarily shown? Taken from my Cisco config below. What is the hmac? I do not see this in FortiGate esp-3des esp-md5-hmac A better question for me is what is the best one's to use between a FGT and Cisco Router Both sides keep retransmitting Cisco of course is Death by retransmission" failure. I have been configuring the FTG via GUI in 6.4.4 and I don't think this is the best way. Can you please advise on these settings: #7
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:20:11 (permalink) 0 ipsec is ipsec cisco to cisco or cisco to fgt is not that much different . IPSEC ESP is an open standard just match the ph1/ph2 and PSK and it should work. Here's a sample ikev2 vpn cfg for ios http://socpuppet.blogspot.com/2014/05/howto-asr-ios-xe-to-fortigate-ikev2_22.html What have you done in regards to diagnostic on fgt and debug on ios? Can you pop your configs here so we can look them over. Ken Felix PCNSE NSE StrongSwan #8
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 07:57:02 (permalink) 0 Hi Ken I agree but I am not sure exactly how to configure the Fortigate. I did run across your blog and was helpful very nice! Yes I have done so many diags its making me confused. Here is output of the latest (20min ago) from the FortiGate. I don't now how to give you the FortiGate config FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:2c79e6f0 ike 0:TestToCisco:8419:TestToCisco:2342: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020012C79E6F0000000FC01000014642F834F11E22E99D8D878397A19C8750A000034000000010000000100000028010304018772CC6A0000001C01030000800100018002A8C0800400018005000180030001040000141B29CA27D8817012DAFD6D427DD89B2A0500006470F9A8D3BE98E4D43599D2F6AB59DFD4FC8A5301159A7BC36A565A512CC1F493827F9D1C4A07BF48CBE9490E28755726A658CFE1EA03E583B17923C2376BD8CD428B21A4D3EE37CF233CB1B4D313EFDFCB6B0285856626459B78D922B7CED9480500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020012C79E6F000000104C7CA4D41C7AE844115AD088E0F23EEDD60F8CA6CAE5422ADD1DF97A4F39F48E8412332E9D1C23A27D59506626972C9E17E12B8E9373FDF28E329F01F53104FD196A9212A96A6C8B951055FAF308DD6E3F1AE5212BC9E7A822429D30498BC09ECA0A9C4D5BE5D4281F11D15FD75E40BDBEB9404A9B9137DE6F4F4360CB78BF36BF69B780362A9045B4E6AA2A782C991144092DB21445747CB6528C6F52C400852579448B5542C1C932D23FFA26841BDE5EBBED76825E7CD53D1147619171D946B1E5CA61EB99D0EBCA745C71AF6D8C61ECE4046663DE77A13B72E22A9743D38E7DC0B43BB0BDE55A8 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:2c79e6f0 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:095e1700 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501095E170000000054E5680DA1B598702A2D29E29B3B877CAECABC89AEFC76C5A612B7E3256B8274D56C15BB556E989A0FFBE4C92C5BD7FC0C172AD89357B963C5 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501095E1700000000540B0000148390A5991B91A36E99876DBC8CF8026E0000001C000000010304000E8772CC6A0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2342: IPsec SPI 8772cc6a match ike 0:TestToCisco:8419:TestToCisco:2342: delete phase2 SPI 8772cc6a ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:430fdc29 ike 0:TestToCisco:8419:TestToCisco:2343: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001430FDC290000011C01000014C9C9A256E62EEA5AB50FF7725EFA8DF70A000034000000010000000100000028010304018772CC6B0000001C01030000800100018002A8C08004000180050001800300020400001476D3394610E67AD0F52AFC0A35C0BD4905000084999703F23585574871E0243C9CB7259BA7C773C7CF4EBB4E2781BDCDC83A5E1173306E868D24DAA0B1817EADCD7C62362F388F7C2BFC4A04BF1D30858C8C5FA06315B3AE63D4666678B172B8B6B5B813A55C24BF2F0CB403D2051433249B237E04B29F2B494A1DB267FB9BFB79E2568861EF3BFA53752899D529B7E6E78D9E620500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001430FDC29000001247E9E3CB355BF68B89BF0DB8A5B5D9D229C3388C617659C2D6EA5477BB80ECA43BA1125465721E6C12B0052F1162A712B7EFDE4560094F0B205C6109C4D33683440808CFBCC6D47A83CFECEAD87778734B4BB22ADB11CA8127971BFD7BC9E456CA3EDCB37A77939427F93C9A2EE9D7C5A37455278A3209D46A169D2E0F962B2F634B3CE9A85CCDD474B368AFAEF2DD3DFECA45F10A114E68F9E1035BD9093DC407AB7B784BF1CE220AA37477F64C07C2A605D7F0B3E65496AB192092ABD8599AED9BE85E7B7A4F5833975A0153231C376686E782150AAC4679A65D0BEBDBCCBC4415433024EB6BF604D13E595F7349EBCA03E03F8EA2A7201DC1DA911FB151552E6A2E2BF835B96D9 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:430fdc29 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:a8efb6d6 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000545F21E6DF6848312F43848840697D1A365A611DC169FFBCAC7004C287CD49FE482F5DBFD29692E53CCE38E9868A22213675D77ABB091AA617 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000540B0000142133CB437B790A3EE0D5CBC7B851DC980000001C000000010304000E8772CC6B0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2343: IPsec SPI 8772cc6b match ike 0:TestToCisco:8419:TestToCisco:2343: delete phase2 SPI 8772cc6b ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:ac5c3ef8 len=372 ike 0: in E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF800000174E4256AD5994CEB6D46B8957D4D7F36D872765BD6C4D8BBAEB97D0BEDCE47576A047CC60452934257581A250635667DE9B06E2057DBBAE7B6A09BD9119CE0194B2529E2D5BC0F563CC1903F20B308ACA8FA10A8469F4E9523E4EFD1F461D8652AA822D10C0A7BD2E8B1FF558BC1096B8657FEA1A1F80414C72C65F4EC10177719DEE82D34CE0CC4B7CAE68E06C37EC17368F7A9672AAD6FBDA9BEB8D52E67D7F4E04466B3C87017190457F7206B93CD6D70982EE5F480D84DF918B25DFAC33EE80730498FABB88D4FD09E462DC4899CA8E0D2ED8A0BFEAEBBE742FB020AA6CEAEE9B539415BF065C41ED52D9B4567D5BB07B2F4429292E219544125DBFD7AB395998843056F52546E62E3280A02652DC45A0E4FBC243BFD8533FD8161064634A1B117BE3A78E681320429D402934FDD4C5E534C81185DD442C4D3C38B507335E67FC67B965B2E650F36134329BEF621274112D37AF9D2F0D0 ike 0:TestToCisco:8419:2344: responder received first quick-mode message ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF80000017401000014F6637A018BA26F9B57C86B800D13EA4A0A00004000000001000000010000003401030401B857445E0000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001812D887BE033F66505FEC6E63332409B953B17F2C050000C4183E20FE53D77105299300D3AA9B64F27A8325EF5F6DA543D2F491B503C24E19D268AC8A62A3CDD0E34FC96023E578E50F3357D1DCD8BD46B6542729E454E6BCA8E0BAFDBFED9A4399A037A0AB676F09422D070C9341C122AC331CFA5BD02DD95847D5FCE8C922FEE1496437D70CAE067677DC37612BE9083D7BC0CF3AE420CEE3F47FA9E72E2D467A3DF03901AC0ECA056A3E09A5A186786E32D6D5790343AA6375C0286E542C58E53FF377A440C907A1D490D161B7056E8BAD29C7DFF8F51005000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8419:2344: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8419:TestToCisco:2344: trying ike 0:TestToCisco:8419:TestToCisco:2344: matched phase2 ike 0:TestToCisco:8419:TestToCisco:2344: autokey ike 0:TestToCisco:8419:TestToCisco:2344: my proposal: ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 2 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 2: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 1 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: incoming proposal: ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 5 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2344: no SA proposal chosen ike 0:TestToCisco:2344: info_send_n2, type 14, peer SPI b857445e ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA000000400B000014DF90C33E1D5CB023CFED41CC793B962D00000010000000010304000EB857445E ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA00000044F58C08CCB5F7CF162A08803D302F852654593C59C78A5DAD81679CDE60BFCB95DA60313A42F12E28 ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:a422d4da ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:7734a7fe ike 0:TestToCisco:8419:TestToCisco:2346: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020017734A7FE000000FC01000014E59263C79CB39D9F64A0E4C0D296C99B0A000034000000010000000100000028010304018772CC6C0000001C01030000800100018002A8C080040001800500018003000104000014F7F0F96C6057ADE3DD6490031D1AEADB0500006451765C7A0F761528EAB2057EAC49C26E57DE3695AF52181C7A7D62AE698293E5FF42A668E21C30A24251E0DCBEAD6618646AC97DC25769867ADC667DA1478CF4D1E4DAC09E084A314E2203A51338A5DBBBCB26AD53B12DBBD6A354862D1A6F9A0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020017734A7FE00000104FCBEB8BA845EFDCA9777DCDF7CD23305ADA17EDD8193207494BA44A4E02DC12F44C236DF9D84931A83A8B15DAA580F68F392D1BD1F7712653C18E899CDE626581776702D65E6902409EECD87C27C234A8D0819BFA425EC01A48563DD26D0A23DC72BECCD931C82230A091A4F1CDD55AC60649C81AB3D037B3B92E56B60E8B86B512C4232FEF31C23A97C96BE12BE5621030B7A43B006E45870A449CD4366F9A16A6B97A2A7EE0379BD5B01511EFEE219AFAB027ACB1616CB96C43C7840702A803BF6997724355548D30CB500B9F863723FFE2A2D1FAE59583A42C97D8DA222BE249FF1DBA6A63E9A ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:7734a7fe ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:1b71c169 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000543FD48B14CDD69F904F71CDD530251FAA5FD15DFAD516251ADC6713B845909A8C20202DC183C7ACA69A7FA08BC811E649B7AACB2D291D6452 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000540B000014FF287F9F70709A2E86888FBB2CE006220000001C000000010304000E8772CC6C0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2346: IPsec SPI 8772cc6c match ike 0:TestToCisco:8419:TestToCisco:2346: delete phase2 SPI 8772cc6c ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:6ded900b ike 0:TestToCisco:8419:TestToCisco:2347: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020016DED900B0000011C010000144DABBA48E8643A0C8A49FAA6B94581080A000034000000010000000100000028010304018772CC6D0000001C01030000800100018002A8C0800400018005000180030002040000146009F00211B216F0A196616CEC2A9FC00500008413DE6215E27F41550EB44360A01ED289728D41426B0C805366BC76AC26F3C1D6969B6E1075F5E5A81E360161296F1E03A3D5AD80B9E4B20B76896739B82DFC77E0F3EA032278F5AF9F78F2ECCEDD68593C6F6627A22E04C3701601B02EE15F54CA12263159BA058D396714EBF97E31D5E761CA3F1C8DD274958FDA1D29B8CD590500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020016DED900B00000124C58102521A586AF396ACC6C8B3626EA0686FF3B659A4546CA99A2CF3C2AD6FF197F02B1529D208CA217A0729C9B34894937FD9A1E7EC09EC6C35FBD9DA7DE6D04D217B4910BC164166D2C11FD389856E78822D467FB6E117028962AC502C53370219E4FF79CB9A5C3EDD72F34FD55554872242171D0B44A9124BD3DFD157CF8D7516D3FAD4ABF6080080994860A2372F7C7C7488CC5BDB3C5BFAE392592E379372196EB789BB113D1014F26B3B16A02AA89941D9B9CC707718864BF5CECE0AA9E64888DDEEFEA29E7368A33D3AF2B367F33998F8C55E1AB9F8DB0830104E7C0C7D484BC0ABBC08CAD1057452FCE295B78306EFD4C3C32AF33AA9399137C4AC75A201A2D5DBF2FA01 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:6ded900b ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:9003ece1 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019003ECE100000054D116CBBCA4F253AB44A2DE551B6CDD81BC77DDB55C4BF513893D16CB63A990BF2A1C3EE92687ED93C5C45E21F4655F154A5780CE1DDC3AB2 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005019003ECE1000000540B000014D1F615E7D6951B45C1FC42D5A3EB660F0000001C000000010304000E8772CC6D0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2347: IPsec SPI 8772cc6d match ike 0:TestToCisco:8419:TestToCisco:2347: delete phase2 SPI 8772cc6d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:93edfc52 ike 0:TestToCisco:8419:TestToCisco:2348: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810200193EDFC52000000FC01000014DA0836AFEA7F8E91D8A3606A624424080A000034000000010000000100000028010304018772CC6E0000001C01030000800100018002A8C0800400018005000180030001040000140E217CBDC76781A3A8A55DD8C35FF450050000648F844C4E598701EC61C1C116002D148AE8D01ABC520453D2D87335B1F946D72CE426188642635D07EA1A70D49B85EF1920780E0CE58D31EED7FF3B947C45E58F7B424F3948DACB3AE90F212A35314B1CF8B3621FB0B7546C382CD7B0015A018A0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810200193EDFC5200000104C190B42142AEA0BA6B7E6DA34C3CB38643086D6CD9EF8F7D3A51D760C262A5C7C11A888D6085BEB81BBD3CF2F37567BD7692B3D06A72FF0E53D2D75F085F8A3C94A392ACFC9B7F2E71A4C3C195D8490F6CDE4AF4A2E59E719E0843B5EEBD4DADB8019E3F5DD175A843D23DA8730D3DB99BC586D52C30FDFD9D623B2A969D961584FE7F0EF745DF894B1103B65F603FB121C9D429935CA2ADAFFCE410D647F27B0CC5FD9570893BBA6F9DA6FB7A006320B566C8DD4F85C6972360604204835C43807B88A4C04ECF0C54882DB7E64D4D9F028A936ABCB12AB0C418D6BE152774617CBFD19CB62C899F ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:93edfc52 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:efdd7180 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501EFDD718000000054D25281361AE00AA7727737DDFA2EFF4B6B01C86ABFCFA0C2DA380A78A6F12B51086D74B7A30DD35C49174A900BC7D66373C40562ECF08651 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501EFDD7180000000540B000014028DEA19B2680A5483FDD27957584A4C0000001C000000010304000E8772CC6E0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2348: IPsec SPI 8772cc6e match ike 0:TestToCisco:8419:TestToCisco:2348: delete phase2 SPI 8772cc6e ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:5b3ce712 ike 0:TestToCisco:8419:TestToCisco:2349: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020015B3CE7120000011C01000014AEBB7CFD8A72B51E68E2139CDD8676E90A000034000000010000000100000028010304018772CC6F0000001C01030000800100018002A8C0800400018005000180030002040000140529F1684B8A0D020EAC9CBB4A6A91B105000084DE99460056907B0F178C3D5F61AEC79A86FEBA6D001E27EF4620B97389F942BE6794C2E31E72F49687BA2555FA48826EDD2DD0C6D097B6E1489D0F3680A71E7BB9B85800186611D01ED07CAE8A603E4820EB7823A417D4F4CE57B97AF919A2E270B5A986DD7EB1F00A80DEC179FD5D814203A6E656720B0C43D7057F7A2558610500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020015B3CE712000001244A63B48A856F8F9A7C709F80124E7ECCD394AAFBA28B89EC93B4FA4A81FC5A1C6EF791B5BCC894BAA5E05BEBCA3C5082705458D0C895910AE70A5AD43EA1860DD921E8E0F66F0E234EB1ADCDAEE4DC1E189C9B2A3D3DAF6661935A218005FB16E170DFF933D8CC5283DA3784526C78FFA21E76C4F9D80006440E3B6465F8B473B4763A2FB65CF92D198E3623D5F0F1DCEB36FE2D8FCAC2EA889769054FDDCAB475C9EDFD75A7BB200DFC1EF201F0191BDE49396E570DD6A1A0648419EC442AB33FD58BFA818F14369722D570FE6E4F2A2FE7D7186A379AE6794A13C395C1C075A4C73E0DA2E877081A585478788B10E0C5ABA84B058DF2C33E8DFD554348F1FFD9A56A5320A870F4 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:5b3ce712 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:d6f9f483 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501D6F9F48300000054F6440D75353FBEB038B7DF6E92966CD8BEE4058D4E8D3D29B77C2335A214A784B3366B99B0390C9021D621881EFE56FF90E90E39D08F3679 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501D6F9F483000000540B0000142225AFCBB9BF6CA1429F476BA1AFAB2E0000001C000000010304000E8772CC6F0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2349: IPsec SPI 8772cc6f match ike 0:TestToCisco:8419:TestToCisco:2349: delete phase2 SPI 8772cc6f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:a0ad94c5 ike 0:TestToCisco:8419:TestToCisco:2350: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C5000000FC010000144F903F723D5FA049271EA3EA5D285EF10A000034000000010000000100000028010304018772CC700000001C01030000800100018002A8C080040001800500018003000104000014CBC7B9EDCEDB5FB661FE6C9712EB131E050000643228D5849420D2D669559845FC406405D2FE74BE996205AC439624B7034B63C05A09620DD78A0E5FE1F993B40782AFD2DA6AB0C73CF62CA82137F85ABC30DADB09D1E6981295C07F946251AB2DDC2DF865E39FCE493E7CE957DA39A2D3416A000500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C500000104283F12122150DDE2ED09FF23225BDBFCAE5DFD204C221F6C7ACA0F81B7A1267CEEF8CA9B757AF8DC55D1171519728ACD5C78BA6076A74E801BEE12F1FD865E689E83DD71697D76296458D3AC26AED30A25A5B3D5B1D7D91A8BA1D9027AA32381CDC34874104381D78286A198DC9CB3E2A312D2BD55C5530C3407B3BA98C089D4948CAE9A899675C5435B6C748379E2D4AC4CFAA1E27B9174992DBBAD201C274D461E81D5B40CEC7923F1DE179716825F541D12E11CB06765939CB4B0D41852AB9B2F54A7BE8FEFCA8544D833C028BB19821932F4188D827943CFB346AC0CB4CA4B3E1F008BC6BF48 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:a0ad94c5 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:865ea391 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501865EA39100000054A3F362F18FA5DB4E9107FB801DAEAEADBD9A795E2D4627A45A006C7A0E4B1A5A191242A916765D311DE51D2D3057466C86C413CB14F097D9 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501865EA391000000540B000014C6CDDDBBF54CF092F9BBF29E08D183C60000001C000000010304000E8772CC700A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2350: IPsec SPI 8772cc70 match ike 0:TestToCisco:8419:TestToCisco:2350: delete phase2 SPI 8772cc70 FORTIGATE # FORTIGATE # FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:d5bbad4c ike 0:TestToCisco:8419:TestToCisco:2351: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C0000011C01000014B71BCC55BCF3243C560638B2B0B808030A000034000000010000000100000028010304018772CC710000001C01030000800100018002A8C0800400018005000180030002040000147CDA42BC6DE11D8B37DA3AD6CFA19F7C0500008494A25E5B4604053850C6A44946F79CC7B5D8C3280338A9FC2DFC2F822967498B64DC3D88F2473B1535D4E13D1FED648EB5E32380802BF53BB2A5BC859AADA715347681EAF0D64FC0A049C5A4FC3DB919B592A65B598080319C5C0E3950758C1C2E2BE9BCF7B1E9906990275436C06B46B48B4ABCB63A44362E0CD45EE93E545F0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C000001240FC452C3AC0265998E238ACDEDFB3855F35A461AD5F5567D941D3B9F71B9467CC779F780C3DD2562C8165A3461F7630482B23BAEFBD1A93E0F5B0922A605EA962421CD08E6418F72071A2543988081BD9998F3D96A5ABFBF439EF84A25A0C687799EBFB0F8F048C64DC91841484C6CB8B7393F504F1D2CBB96FDA46AB1BBE42294441E185468A109F583BBFFC9E9C041375FAEF48DD82C851BA3AFDA2CFA0B37B6DDDE80A8FCD4262F3F88743B9D5FDA268DD0D446280673B7B3C18EB3096D48ACAB4A4A92CFF0E6144CAF0590473517AE844604737DC9832A4B7ED9EBDF83C02040E15A682517D81CF8490C43654F2C33BF82E0844E8CE643B97F81982747ABED62AD706BDA0F28 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:d5bbad4c ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:97449610 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019744961000000054D3B78F2AADC44A89FA432BA61445F46A8B5085416455CE917770C6F7F7311F345EE6EF8F6CE7A2765E36D809474FF8EF6AEB60A1FA2D9A0E ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC580810050197449610000000540B00001493F7090B12AE3559E9D2795DB14278B10000001C000000010304000E8772CC710A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2351: IPsec SPI 8772cc71 match ike 0:TestToCisco:8419:TestToCisco:2351: delete phase2 SPI 8772cc71 FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # diagnose debug disableike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:6403040c len=372 ike 0: in E0A58579A166E7011318BF0CE01DEC58081020016403040C0000017424DBF69B5DC275E4E2F6AC72F465D9EC60FDC3269DC0FB24766365D595D967BDA70A358090F622A1A6A2E07A0114C7105FEBA2E9C64A99B51C9441AEB05604039193813322D0748745036D961D65F5AAE8103A2FE4F180BD6BF4902F6303D769C7317D6D00C1917FA57941E5E4545E3E66487011F82D824D99D21AB359044255F525E452EAA26AF06B39734DD2D98A8DE84BBA1A8AC3D79E7EA9B60A4EDD4E53C2EFF1DC121EF19E350750CFC7D30AC3F72A8DF47911FA4B321FED76D7CAA5AC5FD9F25E2FBFC2864A551C7D8558BD2423AB81587556D231BBCABB7D9388BAA31DBA0D584125C7DAA1FF578A97D03D004A8D68BA29B138EC115728404FC3F5996D2603842816A71E28BA99F25A3D1C39888ABF614CE44B849501366B6DAA497EC6E52B0483B9D9A6D38D49EE42C309882A2FFE3F7F3F38754156433AD8236313E4BEE7DF170B4D6AE467E81A6C9938192A311F92FD17ABE8 ike 0:TestToCisco:8419:2352: responder received first quick-mode message ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081020016403040C00000174010000141D10ADB5D4A1AF149E6DF682C5A986110A00004000000001000000010000003401030401BA0C1FA70000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018DCC6FFAF624B0BE390E7ADA16F557C57556C3D48050000C46C0E643AA6D748C2075F11652758D3395D18E5FEDEA48D9D97E0CF551F46A28F4AE78F39E47610A3107C2165134FC71F2B82DAFE5144D9AEEBFE05B012A874F7FB1DEBFEC16BCB2010FCD1392FAB6F273A8B651B924D2F1FB26A11D0331000E78D4DE438A9CC3574FB606D2ABDBFFD4612920DF4CA350D3DD95B538017526BCAF52C9DC7F81D6C1D1BC542DAC0F9FB4D8ADACD83848D9F4FC2128767ECDDB80F2BCF5E3EE85A7B676C498FEACA481CB78D1DCA72493A2FA151EEF94768CA6E6E05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8419:2352: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8419:TestToCisco:2352: trying ike 0:TestToCisco:8419:TestToCisco:2352: matched phase2 ike 0:TestToCisco:8419:TestToCisco:2352: autokey ike 0:TestToCisco:8419:TestToCisco:2352: my proposal: ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 2 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 2: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 1 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: incoming proposal: ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 5 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2352: no SA proposal chosen ike 0:TestToCisco:2352: info_send_n2, type 14, peer SPI ba0c1fa7 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810050100DCF74E000000400B0000142B1581DBF1D3AA3EDC336794C2DCBBA800000010000000010304000EBA0C1FA7 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810050100DCF74E0000004429B41D74763307BD926AB02CBC1461BDEE103ED18E48FE3E28F04393B8DEE907DCCF7A9F8172AC86 ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:00dcf74e ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder ___________________________________________________________________________________________CCisco Config ISR4221# ISR4221#sh run \| begin isakmp crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key <did not post key> address 0.0.0.0 <<<<< any address on purpose ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile VTI set security-association lifetime seconds 86400 set transform-set TS ! ! interface Tunnel0 ip unnumbered GigabitEthernet0/0/1 <<<< this was numbered at one time. zone-member security LAN tunnel source 50.250.102.118 tunnel mode ipsec ipv4 tunnel destination 73.107.235.45 tunnel protection ipsec profile VTI debug : IPv4 Crypto ISAKMP SA dst src state conn-id status 50.250.102.118 73.107.235.45 QM_IDLE 1191 ACTIVE 50.250.102.118 73.107.235.45 MM_NO_STATE 1190 ACTIVE (deleted) ISR4221#debug crypto isakmp Crypto ISAKMP debugging is on ISR4221# ISR4221# ISR4221# ISR4221#term mon ISR4221# Mar 26 15:07:46.955: ISAKMP: (1181):purging node 3040338059 ISR4221# Mar 26 15:07:50.025: ISAKMP: (1182):purging node 2511836437 ISR4221# Mar 26 15:07:51.818: ISAKMP: (1182):set new node 0 to QM_IDLE Mar 26 15:07:51.818: ISAKMP: (1182):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) Mar 26 15:07:51.818: ISAKMP: (1182):sitting IDLE. Starting QM immediately (QM_IDLE ) Mar 26 15:07:51.818: ISAKMP: (1182):beginning Quick Mode exchange, M-ID of 828670928 Mar 26 15:07:51.830: ISAKMP: (1182):QM Initiator gets spi Mar 26 15:07:51.831: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE Mar 26 15:07:51.831: ISAKMP: (1182):Sending an IKE IPv4 Packet. Mar 26 15:07:51.831: ISAKMP: (1182):Node 828670928, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Mar 26 15:07:51.831: ISAKMP: (1182):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Mar 26 15:07:51.876: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:07:51.876: ISAKMP: (1182):set new node 4149256254 to QM_IDLE Mar 26 15:07:51.876: ISAKMP: (1182):processing HASH payload. message ID = 4149256254 Mar 26 15:07:51.877: ISAKMP: (1182):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 3648703813, message ID = 4149256254, sa = 0x80007F7B66C74EB0 ISR4221# Mar 26 15:07:51.877: ISAKMP: (1182):deleting spi 3648703813 message ID = 828670928 Mar 26 15:07:51.877: ISAKMP-ERROR: (1182):deleting node 828670928 error TRUE reason "Delete Larval" Mar 26 15:07:51.877: ISAKMP: (1182):deleting node 4149256254 error FALSE reason "Informational (in) state 1" Mar 26 15:07:51.877: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Mar 26 15:07:51.877: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISR4221# Mar 26 15:07:56.954: ISAKMP: (1181):purging SA., sa=80007F7B718E3100, delme=80007F7B718E3100 ISR4221# Mar 26 15:08:02.084: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:02.084: ISAKMP: (1182):set new node 2898857848 to QM_IDLE Mar 26 15:08:02.085: ISAKMP: (1182):processing HASH payload. message ID = 2898857848 Mar 26 15:08:02.085: ISAKMP: (1182):processing DELETE payload. message ID = 2898857848 Mar 26 15:08:02.085: ISAKMP: (1182):peer does not do paranoid keepalives. Mar 26 15:08:02.085: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45) Mar 26 15:08:02.085: ISAKMP: (1182):deleting node 2898857848 error FALSE reason "Informational (in) state 1" Mar 26 15:08:02.085: ISAKMP: (1182):set new node 2594725701 to QM_IDLE Mar 26 15:08:02.085: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE Mar 26 15:08:02.086: ISAKMP: (1182):Sending an IKE IPv4 Packet. Mar 26 15:08:02.086: ISAKMP: (1182):purging node 2594725701 Mar 26 15:08:02.086: ISAKMP: (1182):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 26 15:08:02.086: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Mar 26 15:08:02.086: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45) ISR4221# Mar 26 15:08:02.086: ISAKMP: (0):Unlocking peer struct 0x80007F7B724717F0 for isadb_mark_sa_deleted(), count 0 Mar 26 15:08:02.086: ISAKMP: (0):Deleting peer node by peer_reap for 73.107.235.45: 80007F7B724717F0 Mar 26 15:08:02.087: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 26 15:08:02.087: ISAKMP: (1182):Old State = IKE_DEST_SA New State = IKE_DEST_SA Mar 26 15:08:03.094: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (N) NEW SA Mar 26 15:08:03.094: ISAKMP: (0):Created a peer struct for 73.107.235.45, peer port 500 Mar 26 15:08:03.095: ISAKMP: (0):New peer created peer = 0x80007F7B724717F0 peer_handle = 0x8000000080000C4C Mar 26 15:08:03.095: ISAKMP: (0):Locking peer struct 0x80007F7B724717F0, refcount 1 for crypto_isakmp_process_block Mar 26 15:08:03.095: ISAKMP: (0):local port 500, remote port 500 Mar 26 15:08:03.095: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F7B718E3100 Mar 26 15:08:03.095: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 26 15:08:03.095: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 Mar 26 15:08:03.095: ISAKMP: (0):processing SA payload. message ID = 0 Mar 26 15:08:03.095: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.096: ISAKMP: (0):vendor ID is DPD Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.096: ISAKMP: (0):processing IKE frag vendor id payload Mar 26 15:08:03.096: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch Mar 26 15:08:03.096: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45 Mar 26 15:08:03.096: ISAKMP: (0):local preshared key found Mar 26 15:08:03.096: ISAKMP: (0):Scanning profiles for xauth ... Mar 26 15:08:03.096: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy Mar 26 15:08:03.097: ISAKMP: (0): life type in seconds Mar 26 15:08:03.097: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Mar 26 15:08:03.097: ISAKMP: (0): encryption 3DES-CBC Mar 26 15:08:03.097: ISAKMP: (0): auth pre-share Mar 26 15:08:03.097: ISAKMP: (0): hash MD5 Mar 26 15:08:03.097: ISAKMP: (0): default group 2 Mar 26 15:08:03.097: ISAKMP: (0):atts are acceptable. Next payload is 0 Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:actual life: 86400 Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:life: 0 Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa vpi_length:4 Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 Mar 26 15:08:03.097: ISAKMP: (0):Returning Actual lifetime: 86400 Mar 26 15:08:03.098: ISAKMP: (0):Started lifetime timer: 86400. Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.102: ISAKMP: (0):vendor ID is DPD Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.102: ISAKMP: (0):processing IKE frag vendor id payload Mar 26 15:08:03.102: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch Mar 26 15:08:03.102: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Mar 26 15:08:03.103: ISAKMP-PAK: (0):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_SA_SETUP Mar 26 15:08:03.103: ISAKMP: (0):Sending an IKE IPv4 Packet. Mar 26 15:08:03.103: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Mar 26 15:08:03.140: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_SA_SETUP Mar 26 15:08:03.140: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 26 15:08:03.140: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Mar 26 15:08:03.141: ISAKMP: (0):processing KE payload. message ID = 0 Mar 26 15:08:03.146: ISAKMP: (0):processing NONCE payload. message ID = 0 Mar 26 15:08:03.146: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45 Mar 26 15:08:03.146: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 26 15:08:03.146: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM3 Mar 26 15:08:03.146: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH Mar 26 15:08:03.146: ISAKMP: (1183):Sending an IKE IPv4 Packet. Mar 26 15:08:03.147: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 26 15:08:03.147: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM4 Mar 26 15:08:03.178: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_KEY_EXCH Mar 26 15:08:03.178: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 26 15:08:03.178: ISAKMP: (1183):Old State = IKE_R_MM4 New State = IKE_R_MM5 Mar 26 15:08:03.179: ISAKMP: (1183):processing ID payload. message ID = 0 Mar 26 15:08:03.179: ISAKMP: (1183):ID payload next-payload : 8 type : 1 Mar 26 15:08:03.179: ISAKMP: (1183): address : 73.107.235.45 Mar 26 15:08:03.179: ISAKMP: (1183): protocol : 0 port : 0 length : 12 Mar 26 15:08:03.179: ISAKMP: (0):peer matches none* of the profiles Mar 26 15:08:03.179: ISAKMP: (1183):processing HASH payload. message ID = 0 Mar 26 15:08:03.179: ISAKMP: (1183):processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 0x80007F7B718E3100 Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status: authenticated Mar 26 15:08:03.179: ISAKMP: (1183):SA has been authenticated with 73.107.235.45 Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status: authenticated Mar 26 15:08:03.179: ISAKMP: (1183):Process initial contact, bring down existing phase 1 and 2 SA's with local 50.250.102.118 remote 73.107.235.45 remote port 500 Mar 26 15:08:03.180: ISAKMP: (0):Trying to insert a peer 50.250.102.118/73.107.235.45/500/, Mar 26 15:08:03.180: ISAKMP: (0): and inserted successfully 80007F7B724717F0. Mar 26 15:08:03.180: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 26 15:08:03.180: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 26 15:08:03.180: ISAKMP: (1183):SA is doing Mar 26 15:08:03.180: ISAKMP: (1183):pre-shared key authentication using id type ID_IPV4_ADDR Mar 26 15:08:03.180: ISAKMP: (1183):ID payload next-payload : 8 type : 1 Mar 26 15:08:03.181: ISAKMP: (1183): address : 50.250.102.118 Mar 26 15:08:03.181: ISAKMP: (1183): protocol : 17 port : 500 length : 12 Mar 26 15:08:03.181: ISAKMP: (1183):Total payload length: 12 Mar 26 15:08:03.181: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH Mar 26 15:08:03.181: ISAKMP: (1183):Sending an IKE IPv4 Packet. Mar 26 15:08:03.181: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 26 15:08:03.181: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE ISR4221# Mar 26 15:08:03.182: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Mar 26 15:08:03.182: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISR4221# Mar 26 15:08:05.155: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:05.155: ISAKMP: (1183):set new node 734805177 to QM_IDLE Mar 26 15:08:05.155: ISAKMP: (1183):processing HASH payload. message ID = 734805177 Mar 26 15:08:05.156: ISAKMP: (1183):processing SA payload. message ID = 734805177 Mar 26 15:08:05.156: ISAKMP: (1183):Checking IPSec proposal 1 Mar 26 15:08:05.156: ISAKMP: (1183):transform 1, ESP_3DES Mar 26 15:08:05.156: ISAKMP: (1183): attributes in transform: Mar 26 15:08:05.156: ISAKMP: (1183): SA life type in seconds Mar 26 15:08:05.156: ISAKMP: (1183): SA life duration (basic) of 43200 Mar 26 15:08:05.156: ISAKMP: (1183): encaps is 1 (Tunnel) Mar 26 15:08:05.156: ISAKMP: (1183): authenticator is HMAC-MD5 Mar 26 15:08:05.156: ISAKMP: (1183):atts are acceptable. Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):IPSec policy invalidated proposal with error 1024 Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45) Mar 26 15:08:05.158: ISAKMP: (1183):set new node 3385498750 to QM_IDLE ISR4221# Mar 26 15:08:05.158: ISAKMP: (1183):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 9223512204992471792, message ID = 3385498750 Mar 26 15:08:05.158: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE Mar 26 15:08:05.158: ISAKMP: (1183):Sending an IKE IPv4 Packet. Mar 26 15:08:05.158: ISAKMP: (1183):purging node 3385498750 Mar 26 15:08:05.158: ISAKMP-ERROR: (1183):deleting node 734805177 error TRUE reason "QM rejected" Mar 26 15:08:05.159: ISAKMP: (1183):Node 734805177, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Mar 26 15:08:05.159: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_READY ISR4221# Mar 26 15:08:07.164: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:07.165: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. Mar 26 15:08:07.165: ISAKMP: (1183):retransmitting due to retransmit phase 2 Mar 26 15:08:07.165: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# Mar 26 15:08:11.174: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:11.175: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. Mar 26 15:08:11.175: ISAKMP: (1183):retransmitting due to retransmit phase 2 Mar 26 15:08:11.175: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission Mar 26 15:08:11.441: ISAKMP: (1182):purging node 1730638449 Mar 26 15:08:11.441: ISAKMP: (1182):purging node 3285571772 ISR4221# Mar 26 15:08:19.184: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:19.184: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. Mar 26 15:08:19.185: ISAKMP: (1183):retransmitting due to retransmit phase 2 Mar 26 15:08:19.185: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# Mar 26 15:08:21.818: ISAKMP: (1183):set new node 0 to QM_IDLE Mar 26 15:08:21.818: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) Mar 26 15:08:21.818: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE ) Mar 26 15:08:21.818: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 202785673 Mar 26 15:08:21.830: ISAKMP: (1183):QM Initiator gets spi Mar 26 15:08:21.831: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE Mar 26 15:08:21.831: ISAKMP: (1183):Sending an IKE IPv4 Packet. Mar 26 15:08:21.831: ISAKMP: (1183):Node 202785673, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Mar 26 15:08:21.831: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Mar 26 15:08:21.864: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:21.864: ISAKMP: (1183):set new node 2965253630 to QM_IDLE Mar 26 15:08:21.865: ISAKMP: (1183):processing HASH payload. message ID = 2965253630 Mar 26 15:08:21.865: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 4178712177, message ID = 2965253630, sa = 0x80007F7B718E3100 ISR4221# Mar 26 15:08:21.865: ISAKMP: (1183):deleting spi 4178712177 message ID = 202785673 Mar 26 15:08:21.865: ISAKMP-ERROR: (1183):deleting node 202785673 error TRUE reason "Delete Larval" Mar 26 15:08:21.865: ISAKMP: (1183):deleting node 2965253630 error FALSE reason "Informational (in) state 1" Mar 26 15:08:21.865: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Mar 26 15:08:21.865: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISR4221# Mar 26 15:08:35.195: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:35.196: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. Mar 26 15:08:35.196: ISAKMP: (1183):retransmitting due to retransmit phase 2 Mar 26 15:08:35.196: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# Mar 26 15:08:41.878: ISAKMP: (1182):purging node 828670928 Mar 26 15:08:41.878: ISAKMP: (1182):purging node 4149256254 ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221#un all Mar 26 15:08:52.085: ISAKMP: (1182):purging node 2898857848 Mar 26 15:08:52.251: ISAKMP: (1183):set new node 0 to QM_IDLE Mar 26 15:08:52.251: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) Mar 26 15:08:52.251: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE ) Mar 26 15:08:52.251: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 2615360766 Mar 26 15:08:52.263: ISAKMP: (1183):QM Initiator gets spi Mar 26 15:08:52.264: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE Mar 26 15:08:52.264: ISAKMP: (1183):Sending an IKE IPv4 Packet. Mar 26 15:08:52.264: ISAKMP: (1183):Node 2615360766, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Mar 26 15:08:52.264: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Mar 26 15:08:52.301: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE Mar 26 15:08:52.302: ISAKMP: (1183):set new node 3172844811 to QM_IDLE Mar 26 15:08:52.302: ISAKMP: (1183):processing HASH payload. message ID = 3172844811 Mar 26 15:08:52.302: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 726164641, message ID = 3172844811, sa = 0x80007F7B718E3100 ISR4221#un all All possible debugging has been turned off ISR4221# Mar 26 15:08:52.302: ISAKMP: (1183):deleting spi 726164641 message ID = 2615360766 Mar 26 15:08:52.302: ISAKMP-ERROR: (1183):deleting node 2615360766 error TRUE reason "Delete Larval" Mar 26 15:08:52.302: ISAKMP: (1183):deleting node 3172844811 error FALSE reason "Informational (in) state 1" Mar 26 15:08:52.302: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 26 15:08:52.302: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE #9
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 08:12:04 (permalink) 0 Can you show the fortigate phase2 settngs? I have a hunch you have ofs enabled or something /* cli show full vpn ipsec phase2-interface < name> The cisco stuff looks good fwiw but we need to make sure fortios is matching Ken Felix PCNSE NSE StrongSwan #10
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 08:50:36 (permalink) 0 Hi Ken Here is the output. config vpn ipsec phase2-interface edit "TestToCisco" set phase1name "TestToCisco" set proposal 3des-md5 set pfs disable set ipv4-df disable set replay disable set auto-negotiate enable set auto-discovery-sender phase1 set auto-discovery-forwarder phase1 set keylife-type seconds set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type subnet set dst-port 0 set keylifeseconds 86400 set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0 next end #11
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 09:46:31 (permalink) 0 On the fortigate do you have a fwpolicy for the named phase1 interface? You need a policy and the cfg on the fortigate looks okay. What i see in the debug from cisco is ipsec-sa is failing "phase 2 SA policy not acceptable! " and your phase2 has some issues or I'm thinking a policy is missing on the fortigate. You should be negotiating quad 0s ( 0.0.0.0/0 ) between the two ike-peers You can run diag debug enable and followed with diag debug app ike -1 on the fortios device to look at it's debug. Ken Felix PCNSE NSE StrongSwan #12
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:13:01 (permalink) 0 I do believe that I have the policies but again I am new and not sure. I asked this in the first post. I have ZBFW on the Cisco and I know that is not it because I removed it to test and still no joy. I feel its on the forti side. Please see this image to see if this is the correct policy your asking for. Also the forti post was the diag you wanted. I can do it again. No problem. I am not sure what the Phase1 interface is on this box because it names everything and I am used to numbers. I see the name is the same for both phase interfaces. Is this interface in Network >>> Interfaces ? when I expand my Wan1 interface I see it and it is a Tunnel Interface and it has not been addressed meaning no IP addressing Attached Image(s) #13
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:24:13 (permalink) 0 Here is the debug. What is the pfs there (perfect forward secret) but I have this turned off on both boxes. It is seeing pfs DH 5 and complaining about it. FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8572:TestToCisco:3438: quick-mode negotiation failed due to retry timeout ike 0:TestToCisco:8572: send IKE SA delete f0e854d883317db0/1318bf0cd9f208a7 ike 0:TestToCisco:8572: enc F0E854D883317DB01318BF0CD9F208A70810050197DB750C0000004C0C000014FF385C8824EED81FBDDFEF5B440F97940000001C0000000101100001F0E854D883317DB013 18BF0CD9F208A7 ike 0:TestToCisco:8572: out F0E854D883317DB01318BF0CD9F208A70810050197DB750C00000054AD220909ACEF3C79F312786B3ED78D7D2699BAC97BC7FC5F5D636DB58935CF783C8466C2960BD7BB16 1F00F867C99A26E73611627C76E234 ike 0:TestToCisco:8572: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=f0e854d883317db0/1318bf0cd9f208a7:97db750c ike 0:TestToCisco: connection expiring due to phase1 down ike 0:TestToCisco: deleting ike 0:TestToCisco: deleted ike 0:TestToCisco: set oper down ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco: carrier down ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=f0e854d883317db0/1318bf0cd9f208a7:12bda5d9 len=84 ike 0: in F0E854D883317DB01318BF0CD9F208A70810050112BDA5D90000005492B55C37D5E76EB34B063C5EE3F9485E484369CEF3B40B2EB99936221332329200E1A68482151653E12C57EE467997DA4ADA CE7C2386DF19 ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie f0e854d883317db0/1318bf0cd9f208a7, drop ike 0:TestToCisco: auto-negotiate connection ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500. ike 0:TestToCisco:8573: initiator: main mode is sending 1st message... ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/0000000000000000 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080 0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014 8299031757A36082C6A621DE00000000 ike 0:TestToCisco:8573: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=66aa5be8f78dfbef/0000000000000000 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C 000400015180 ike 0:TestToCisco:8573: initiator: main mode get 1st response... ike 0:TestToCisco:8573: negotiation result ike 0:TestToCisco:8573: proposal id = 1: ike 0:TestToCisco:8573: protocol id = ISAKMP: ike 0:TestToCisco:8573: trans_id = KEY_IKE. ike 0:TestToCisco:8573: encapsulation = IKE/none ike 0:TestToCisco:8573: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:TestToCisco:8573: type=OAKLEY_HASH_ALG, val=MD5. ike 0:TestToCisco:8573: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:TestToCisco:8573: type=OAKLEY_GROUP, val=MODP1024. ike 0:TestToCisco:8573: ISAKMP SA lifetime=86400 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000000B40A000084FB24F893C08A94E3B2053D7FA8F2FCD9BAAD6A36CE2FE8559800742A3AFDAE6451EDC4F53C 50A752147D66BB9E86455922AD8B83B199F7550293D349529F04B813285416674D72A4CBD5CFD4C221366CF6C33B231E3A89ADBC49EB6D8ADD4AD90886C63D67B56F3E60A989927E8FB3AFFB0D28B6A72945E7 01848F9D4ACF3B59000000144F0A3FE02844FDFF8BD7749115F04E13 ike 0:TestToCisco:8573: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=256 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000001000A00008495ECFBAEE83CEB62757515D24E40D5E3D2FA3AAD9B176D53E9794B7DCB213C69EB2921D57933F20E4DF7A864E080 C4FB0D95B8EE999B0A5A27552199DC3F9BB2B0E2300503E527B9FEA9828A3D23946B97CD847CEE05D8639767D6169273ACCB1A90B179C21B80BAF267AABBBE8BE7CA2501C56F877F2D3E14BE8E03432BD0500D 000018887A54F5AD41F7471C5FDE11E78434464C1F22C40D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811CC65D6EE3631E5E0BC1FA0E8 0000000C09002689DFD6B712 ike 0:TestToCisco:8573: initiator: main mode get 2nd response... ike 0:TestToCisco:8573: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:TestToCisco:8573: peer supports UNITY ike 0:TestToCisco:8573: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:TestToCisco:8573: VID unknown (16): E6DF1811CC65D6EE3631E5E0BC1FA0E8 ike 0:TestToCisco:8573: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:TestToCisco:8573: nat unavailable ike 0:TestToCisco:8573: ISAKMP SA 66aa5be8f78dfbef/1318bf0ccc64d6ee key 24:2C0150064A4CD7322CE6E9448D1FFCA348ED98A81ABA30F8 ike 0:TestToCisco:8573: add INITIAL-CONTACT ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000580800000C01000000496BEB2D0B000014A5457FD19CDE7EB9C5207AAF9E3CA0BC0000001C0000000101 10600266AA5BE8F78DFBEF1318BF0CCC64D6EE ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE05100201000000000000005C102EB9943E16C2A68BCF5752B0FE347977E370A6EEBB5C14596EA11B1F54067AEC4045D678D73EFE0E 70A9505AFC765A2AE410AD99F35FD5E07495E91A9F76C0 ike 0:TestToCisco:8573: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=68 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE051002010000000000000044A1E46C50AFF8188B38C5B2A80DC3D2CE371C0EFBB736FFEB3EC3582CCF257D2FBA5F998F506C9177 ike 0:TestToCisco:8573: initiator: main mode get 3rd response... ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000440800000C011101F432FA6676000000146D5B653C86477F31BB49A5207C7D36460000000000000000 ike 0:TestToCisco:8573: peer identifier IPV4_ADDR 50.250.102.118 ike 0:TestToCisco:8573: PSK authentication succeeded ike 0:TestToCisco:8573: authentication OK ike 0:TestToCisco:8573: established IKE SA 66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0:TestToCisco: set oper up ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco:8573: no pending Quick-Mode negotiations ike 0:TestToCisco: carrier up ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:8573:TestToCisco:3444: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D00000098010000145F0249249F9B99FE0CC26053C6EAB9DF0A0000340000000100000001000000280103040187 72CD710000001C0103000080010001000200040001518080040001800500010500001425C32DB712AD364452BACE4F0B650AF70500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:9552fa2c len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C00000054D5085DE04D866D61E727FFFEB7B6E3BDFDC80DC3F60DD6B980F0895725D5598417F049DF9813F64DB933B2693AFE49EF7382 6706CD2C1AE6 ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C000000540B000014E08C9F1E788AEF438FFD1611DC1088540000001C000000010304000E8772CD710A00003400 000001000000010000000000000000 ike 0:TestToCisco:8573: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8573:TestToCisco:3444: IPsec SPI 8772cd71 match ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:c479cc59 len=372 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC5900000174E8213487E8EF8B1A227AA9294C0EFBB89396EBA8F99D9D1F4313EE657B8EB96D52A3ABB9034DFF39C83231A98738C5EA51F9 78380FE274F71288E8649F7FE98B8129AAF2D6D17DB37FFE5379CA559DEE691A787919E1B80CBCF40433B3F51F29B6B73D7076FE18B1473FB22447A8AD81B9AE20E83467E63EBEA75BC7F867E7CE9790A6ABA8 D86D6DF7B3C25BA750BB6E0F6F46A785F72477F6650A0F610C0276E2C40253B3B2FEE8B05A178D3700029A168AB6BEA4CF8996460D8041CD8E95C14D492F0300EA7C3A64533A55B1D1DFA29E396451BF58486A D5002CB7AF0D69388F6BEF3185E0C05FE7E2B42E82B0C7D169B6A84E0B4E1D2C59AB2E9FA1A3458EAFA9D30B2A598043FF91A449A6D817EB19F5A61084E6F8CD5F31062DC9FA31003653ACD27997C8C47B17DE 0D6C22401FC3C9FB7141FC0EBD91DD4E058A0426228E3E46D04B468C008C4511192183F34D3CC789B58658044E ike 0:TestToCisco:8573:3445: responder received first quick-mode message ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC590000017401000014BB99C78729A118469C38A4858FC63A300A00004000000001000000010000003401030401D4 DC82C20000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001887269BAC709943C1DDFD3EE77CDCB237513E464A050000C4FEF76ECC4278965467DD8B28 874BF68B96C035AD58F3C231230CF70792EF3C2977B2EB6F1307E522FD309352027D578429776413AA993524C2FAFAAE4BC3E894C14E335C8FEDA43F4D739A8E3D371F8DD414485DEFC814995C47775A07B4C2 246DC4B7336BBA509AC791C648AED4AC2FB665960F6CF0798D800BFC1078B8BE7562109788944ED7D12E96721164879277DD4C29B449027596B0BBA7DBB6519E0AFCE83E1C7BC2762978B74AC24D6A39C53F53 932567DD455728CB876F694C95B705000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8573:3445: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8573:TestToCisco:3445: trying ike 0:TestToCisco:8573:TestToCisco:3445: matched phase2 ike 0:TestToCisco:8573:TestToCisco:3445: autokey ike 0:TestToCisco:8573:TestToCisco:3445: my proposal: ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3445: incoming proposal: ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3445: PFS DH group = 5 ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3445: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8573:TestToCisco:3445: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3445: no SA proposal chosen ike 0:TestToCisco:3445: info_send_n2, type 14, peer SPI d4dc82c2 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D4000000400B0000148DEAA2A2AFFC09DADEF9C80D68F0C55700000010000000010304000ED4DC82C2 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D40000004463FD36A88CCDCC143BDC2AAC9BB09A20C48A31C8E7B3D84A587FCF8B8F41DABB14C89823E8E2F730 ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:677915d4 ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:21b5991f len=372 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174AB410BA7C054479484CBF91A8B63DA561AB7DE1D64E974C26CC483E34BD3D55BED6A04D6398E44CF69D66B4B531DD9E211B8 63D917E89D981AD281B96FCBC3EBED2DC35F019F2C0C9DB0AA4917CDC6CE8BE59B4E123C4904F5A057E390232BFAA6C9F5D4C1504CC67575B13F1E8E118B157AE183AE1939567FAD618487DD352BC8EDC0D9CF 48EEADA7767E5DBFB1D00493898BE72A78290CED356369A009CB59DA3792B67EDC3455BE61A23BC62F6D24BB0C04BA64A7C0C9C31BE6FB31D35E91BB9AC3E7B0134FF641DA60EE697DAE36DC29530473C15D0F B47C69DA51BC1B95AC2D6114659CD5A6E4A450E0F5EB2D44C9B4E4EF2E29DEE2F9396AEBD18248B8CC544AE089911B8712A2CC200255D7BED8F7F3B84A9C5D5D807E924DF6BBEFE38DBCD2B8C44648F5915B4B 03186E95B154321AF24130BFAC221921869499BBF4A5379C44D21FAB16C28E38684FAF03627C4475DD45BE058D ike 0:TestToCisco:8573:3447: responder received first quick-mode message ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174010000145C7911332A81E2E1DD1397DEFD3E3E320A0000400000000100000001000000340103040190 9DF0950000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018F5A63B69A58EE2011AE4FA458EBF04D94445E94D050000C476A09A9E93915F3F619A9786 423E1E5CE3428DF1287635EA80708D903C76DABE21B6FA3FDC93F5095352469C86ACC84D84F38BB825FF294E9859639CF89D2D713FFFA92F66E9F88CA423BB8A23AEB18D3E9062B48A2A1FC733D9542271004B 33DE7DCC210995F1E9448B4F048C10F08D48D05A82353AD4C0E4EDFFD8A0234B537BDEE9F753849B939559623EF1B904C86600042C93CA4B5DC2D4253C361EBBAC59EAD08049EFEAAA749FA8E4BDC21D2F6A92 FD4CAD804DB7E921EAADE949049805000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8573:3447: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8573:TestToCisco:3447: trying ike 0:TestToCisco:8573:TestToCisco:3447: matched phase2 ike 0:TestToCisco:8573:TestToCisco:3447: autokey ike 0:TestToCisco:8573:TestToCisco:3447: my proposal: ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3447: incoming proposal: ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3447: PFS DH group = 5 ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3447: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8573:TestToCisco:3447: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3447: no SA proposal chosen ike 0:TestToCisco:3447: info_send_n2, type 14, peer SPI 909df095 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A962000000400B00001471115A746F4C2B42843CF9D72CA4A2C200000010000000010304000E909DF095 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A96200000044F99061C1B3FA83EA359824A8FE435074EDD91EB2BBA641BC259B457A2607E39DBD52D5BDC0564D74 ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1240a962 ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573:TestToCisco:3444: quick-mode negotiation failed due to retry timeout ike 0:TestToCisco:8573: send IKE SA delete 66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E00000004C0C000014094B7E21C5269B2435A6D734AB9012C90000001C000000010110000166AA5BE8F78DFBEF13 18BF0CCC64D6EE ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E0000000547054A36EDFF3CA6245B51A516843832D6002275769063E6E9E321CBE205540369B94560C47B459E401 D200DB26AE219C3E5F26EBB6BE086B ike 0:TestToCisco:8573: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:ce3301e0 ike 0:TestToCisco: connection expiring due to phase1 down ike 0:TestToCisco: deleting ike 0:TestToCisco: deleted ike 0:TestToCisco: set oper down ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco: carrier down ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:35e73c21 len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810050135E73C2100000054DF4B3304C7C2434B5837EFCEDBF84F67E702455632DD195DB37B227B82CD644CDE9F9AF9FCE6FCAA9660F147273FD4930F35 57B113087728 ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee, drop ike 0:TestToCisco: auto-negotiate connection ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500. ike 0:TestToCisco:8574: initiator: main mode is sending 1st message... ike 0:TestToCisco:8574: cookie d93c289577b4b469/0000000000000000 ike 0:TestToCisco:8574: out D93C289577B4B46900000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080 0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014 8299031757A36082C6A621DE00000000 ike 0:TestToCisco:8574: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=d93c289577b4b469/0000000000000000 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=84 ike 0: in D93C289577B4B4691318BF0CC55043C80110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C 000400015180 ike 0:TestToCisco:8574: initiator: main mode get 1st response... ike 0:TestToCisco:8574: negotiation result ike 0:TestToCisco:8574: proposal id = 1: ike 0:TestToCisco:8574: protocol id = ISAKMP: ike 0:TestToCisco:8574: trans_id = KEY_IKE. ike 0:TestToCisco:8574: encapsulation = IKE/none ike 0:TestToCisco:8574: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:TestToCisco:8574: type=OAKLEY_HASH_ALG, val=MD5. ike 0:TestToCisco:8574: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:TestToCisco:8574: type=OAKLEY_GROUP, val=MODP1024. ike 0:TestToCisco:8574: ISAKMP SA lifetime=86400 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80410020000000000000000B40A000084021E65EB3995D812BE5AB4CACDEBB31687628B17781089143A1781AC522D3CCB860CC05C87 8786A6966628A077BE7AF828031873FA6A10A5A2E3DCD893D1AF5B691680C03CFEB5A2DB51534C0549484631A8527A49F8DE607C9718BA6789F97E84A1D1E10677E4DD1E250FC6FFF895F49F215FF598D0877F 3582DC09B9A71A6C00000014F6E5E785ECD1390A7BB892051CE95CB3 ike 0:TestToCisco:8574: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=d93c289577b4b469/1318bf0cc55043c8 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=256 ike 0: in D93C289577B4B4691318BF0CC55043C80410020000000000000001000A000084C487AA6E4ED0D61928848C6539D96FB65B8497EF7CB9AC9F08F7A5C2E60816833BC5F8F7DE47EAFB2313C0778D6C F90EBFB4C55F644B76ED260C3172D49612D3F6F12B653508B93A65E7D49E136E614540B4965AFDF712627D0EBC9B98966D4043BBEB283CC0B316219151FFF2257182226284BFBC0EA7E1C8E651BBC7574EE10D 000018AFBAC2537E89DD472E99FC916DF2815986A8A0770D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811C55143C8D36FAC24D2C348F6 0000000C09002689DFD6B712 ike 0:TestToCisco:8574: initiator: main mode get 2nd response... ike 0:TestToCisco:8574: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:TestToCisco:8574: peer supports UNITY ike 0:TestToCisco:8574: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:TestToCisco:8574: VID unknown (16): E6DF1811C55143C8D36FAC24D2C348F6 ike 0:TestToCisco:8574: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:TestToCisco:8574: nat unavailable ike 0:TestToCisco:8574: ISAKMP SA d93c289577b4b469/1318bf0cc55043c8 key 24:84AC9D87C7D4074CE8C4E393FE66DED0340F58A168472F9E ike 0:TestToCisco:8574: add INITIAL-CONTACT ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80510020100000000000000580800000C01000000496BEB2D0B000014384400BD711DEE00EC3202800D46F0A60000001C0000000101 106002D93C289577B4B4691318BF0CC55043C8 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C805100201000000000000005CBC89E799A7A00BCE5AABAA5E6F041C4175344BA53557699F5A5ECAC6B10A0924B66C1E478323EDE80E 34C9D3DE9E742DC18B4E728EE286410D9510A8C5104E91 ike 0:TestToCisco:8574: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=d93c289577b4b469/1318bf0cc55043c8 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=68 ike 0: in D93C289577B4B4691318BF0CC55043C80510020100000000000000446857DF1F98793AFB9CE0D7BCC0E7B95079C6875DC6798DDCCB20221430D8DD3D6851C6A78917C4BE ike 0:TestToCisco:8574: initiator: main mode get 3rd response... ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80510020100000000000000440800000C011101F432FA6676000000147A3D384D135D831E5E276BF5D709121B0000000000000000 ike 0:TestToCisco:8574: peer identifier IPV4_ADDR 50.250.102.118 ike 0:TestToCisco:8574: PSK authentication succeeded ike 0:TestToCisco:8574: authentication OK ike 0:TestToCisco:8574: established IKE SA d93c289577b4b469/1318bf0cc55043c8 ike 0:TestToCisco: set oper up ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco:8574: no pending Quick-Mode negotiations ike 0:TestToCisco: carrier up ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:96a5bc24 len=372 ike 0: in D93C289577B4B4691318BF0CC55043C80810200196A5BC240000017452C36F66D85C816EC34FE7B25D02AB4FCCDE13B234D92EED07C78B54F19C746C3D22890F9DAF95228015E4ECBAC5A45A1FFB 0E6FB9801932355E4D4FD1C51119C3410B0050DA44EA13EA00AABA6CA19EAF9D7A273186FCDB09055A0ADB82692908BC743CBAE2EA9E4C4C15326E91FAB7101E0702C6D4114FAA48DB304D4EC4329CFA861BA6 DE6504859868700F9F91D73A9DADEE2E1B87ADAD0D648F44792CEB92B973CFE8D9D1B6567193A14EEB04DB25A1BF182373E29AA01A20C62DA11F51C044489A381DBB11573A440285A26DC03CB43AC36784604D 1CDDDC7F6C79225211F67F77B3031F41649922AF7EBEB6F94972C04A0EF0D0A0011AABC8949AF93FDA0BE6A63FE3D36C2F90CAD8EA3728ED536A2D0B6A1E750F989645ECE052C5B25BF5C64D794AAD7C6F9F07 32D9B44DF92A98455D4E71403388086EB1F79880B202D49476EA3B068E36FADD3BDC9D9AFBC6B128D2FEDAB4A8 ike 0:TestToCisco:8574:3450: responder received first quick-mode message ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80810200196A5BC2400000174010000149B76A5508F72291111B34F73C201E4DC0A0000400000000100000001000000340103040153 858A910000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018370676FEB284DB910AD5C577095297C41A9E8B64050000C4DDE36922B26EB54C972D4D2C DDED574F996F754ACF1A60DA9D79D7BA44B4146999F278A3A23AA0FD8776B8822D87F1519D044DC3F94EB584A69E492148C64BFC518F33E37C562CD76983F72DB2B0D993863E03B28C1D671686746B3613109A 65525A0DBFA4E7F9D3996DE6BD71C6248449E2E1E932D77503357C4E3E85E41E986316CD18E7BF42F3354696687C5C486CC73A16244E9CFE092D6CEFAC2F9EF8D1B18E80A21FD90C5A93031B0761A37F7C54D7 7FC50AEE95F822E57A5474869DBB05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8574:3450: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8574:TestToCisco:3450: trying ike 0:TestToCisco:8574:TestToCisco:3450: matched phase2 ike 0:TestToCisco:8574:TestToCisco:3450: autokey ike 0:TestToCisco:8574:TestToCisco:3450: my proposal: ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3450: incoming proposal: ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3450: PFS DH group = 5 ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3450: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8574:TestToCisco:3450: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3450: no SA proposal chosen ike 0:TestToCisco:3450: info_send_n2, type 14, peer SPI 53858a91 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C808100501654773E0000000400B000014DEB121223C139BA6C711F17BD8DE3D1900000010000000010304000E53858A91 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C808100501654773E0000000440D77896871072EB246F5124A22C7E4CA4C2A3818552C9216A9D8DB0F9BAE4D1CD6C5DADAFE2D626D ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:654773e0 ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8574: cookie d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:8574:TestToCisco:3452: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810200163E0DE5F000000980100001412E2DA1F974566E666B4EF99226AF92A0A0000340000000100000001000000280103040187 72CD720000001C0103000080010001000200040001518080040001800500010500001460FD41AAA6586F1C39EAD374D5C18A420500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=d93c289577b4b469/1318bf0cc55043c8:a15eece1 len=84 ike 0: in D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000548C319BFB090223A806ED597CFF96BAEE6357B41B61DEB361954F9580B346F4D09C6D140BF363EA503C0D19A66BDED2FD77A0 F0A0C3C988E4 ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000540B00001483A94DF8AFEB1722ECCDB01E1030D3620000001C000000010304000E8772CD720A00003400 000001000000010000000000000000 ike 0:TestToCisco:8574: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8574:TestToCisco:3452: IPsec SPI 8772cd72 match ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:1563580e len=372 ike 0: in D93C289577B4B4691318BF0CC55043C8081020011563580E0000017402F4684E4D9F4757767A021DF28A811C955253736B0341024BF52604E25667F827283EEBDFE570F27E854CF2C10CF62D225E 7A249ADAC723259AC3596775E01DB3EB856BF8DB2AFFBBB575FDEC102D3F07EE86B63951ABB25E52CC533BD42D1D3AF3B24452D115084BD38725DD4F26071E46D21A9CFD7032A7688E24C0EB8D686ED0A058D4 F1F63EF62138ABE9C40A0BAEE1CA1D7260F0B0F6F0E567964016FF6517BCD1C051F50CE8DCFC98E14B4A2329BEFE6359F2569A1CD4D54DB226E5DCD7E5CA6B76162A41AA8B0AC0584732A93907F2B4490044A9 E1509DEC1568460D693D5FFD82BCBAE9A85E47D06A3BDE74F3498B1441A5DA06C62130D93DD6BA01EE57B1E905576F86FCA2983F9DAD01D9B49350D3BDA8D23868589344B8DDEA32A6410261B7B7DE700F59A4 C33214855B9027C4D3D87A846ABE9BABD5644CCFF08A1A3BD68BD2DB265F98D2ACD9472E78D40E650C8CA881F3 ike 0:TestToCisco:8574:3453: responder received first quick-mode message ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C8081020011563580E0000017401000014BD1EE500686ADC3F8DB53ECA0E523DAD0A00004000000001000000010000003401030401E5 7BC5190000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018957AEEFC4DD6620143FE2FE89EF8EF350A865A8D050000C4AF634A4AEF91C635109985CA 6E32289AC4951C1B146DE8D33713DBEC89A1B578409018F3E7631235A6C6B2BBCCE77F79F73C48C4E2C60811FBFA39F7A778EFC5E5DDA15C36F17377A923304E26B6176C5FC7624D4E502DFD7D13423A5D05AD CE84967DF37B5E572FC027FC45FAA9A4303D2DE7ECEA4C7A94430D99F0855BC394E882B99B7580D856E9127882F8E34CD2BF65DB8BDB8ED2EF9904BA7F9A2B0E2319DED5E67798CBEF3F7860A467C96DD8399F 6B1660919BE06465B6EC80855B7C05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8574:3453: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8574:TestToCisco:3453: trying ike 0:TestToCisco:8574:TestToCisco:3453: matched phase2 ike 0:TestToCisco:8574:TestToCisco:3453: autokey ike 0:TestToCisco:8574:TestToCisco:3453: my proposal: ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3453: incoming proposal: ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3453: PFS DH group = 5 ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3453: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8574:TestToCisco:3453: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3453: no SA proposal chosen ike 0:TestToCisco:3453: info_send_n2, type 14, peer SPI e57bc519 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000400B00001442E6AB3B156C5D2ABF37A7FD5C53B7CA00000010000000010304000EE57BC519 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000444A3316F97F61C40377D2CFC815D02EE5F1762F427008D84063C6ADA2247C867AE8F7B3FFA05C45AA ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:81f6b68e ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder Thank you for the help #14
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:31:12 (permalink) 0 Cisco still complaining about phase 2. here is latest debug on p1 errors ISR4221#debug crypto isakmp error Crypto ISAKMP Error debugging is on ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# Mar 26 17:49:40.105: ISAKMP-ERROR: (1332):deleting node 773216203 error TRUE reason "Delete Larva l" ISR4221# Mar 26 17:50:06.187: ISAKMP-ERROR: (1333):IPSec policy invalidated proposal with error 1024 Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45) Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):deleting node 1257642978 error TRUE reason "QM rejected" ISR4221# Mar 26 17:50:10.097: ISAKMP-ERROR: (1333):deleting node 921661237 error TRUE reason "Delete Larval" ISR4221# Mar 26 17:50:40.530: ISAKMP-ERROR: (1333):deleting node 131420882 error TRUE reason "Delete Larval" ISR4221# #15
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:48:23 (permalink) 0 humor us. enable pfs in your fortios config vpn ipsec phase2-interface edit < blah blah > set pfs enable set dhgrp 2 5 end and then do a diag vpn ike gateway flush < phase1 name > # wait 10 sec diag vpn ike gateway list diag vpn tunnel list Ken Felix PCNSE NSE StrongSwan #16
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 10:59:44 (permalink) 0 Here it is FORTIGATE # diag vpn ike gateway list vd: root/0 name: TestToCisco version: 1 interface: wan1 7 addr: 73.107.235.45:500 -> 50.250.102.118:500 created: 25s ago IKE SA: created 1/1 established 1/1 time 100/100/100 ms IPsec SA: created 0/6 id/spi: 8607 bcc8b33115c5a0bc/1318bf0cdff3744c direction: initiator status: established 25-25s ago = 100ms proposal: 3des-md5 key: ebbb43f89ef9f987-bbffde5beb92dcf7-2b220ff7ec708a33 lifetime/rekey: 86400/86074 DPD sent/recv: 00000000/00000000 FORTIGATE # diag vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=TestToCisco ver=1 serial=2 73.107.235.45:0->50.250.102.118:0 dst_mtu=0 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=0 refcnt=9 ilast=55 olast=55 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=TestToCisco proto=0 sa=0 ref=2 serial=7 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 run_tally=1 #17
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/26 11:12:42 (permalink) 0 Tunnel just came up! Don't know why? #18
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/27 18:23:17 (permalink) 0 So waspfs enabled or not ? What does your "show crypto ipsec sa" show? Ken Felix PCNSE NSE StrongSwan #19
mrmadgig New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2021/03/24 17:30:57 Status: offline Re: Site To Site VPN between Cisco 4421 and Fortigate 100F 2021/03/28 06:48:33 (permalink) 0 Hello Ken Yes it was, but I don't have the Cisco coded for pfs. crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile VTI set security-association lifetime seconds 86400 set transform-set TS <I did have pfs here before> but I removed it ISR4221#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 50.250.102.118 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 73.107.235.45 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 17433, #pkts encrypt: 17433, #pkts digest: 17433 #pkts decaps: 20661, #pkts decrypt: 20661, #pkts verify: 20661 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 50.250.102.118, remote crypto endpt.: 73.107.235.45 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 /0/0 current outbound spi: 0x8772CE32(2272448050) PFS (Y/N): Y, DH group: group5 <<<<<<<<<<<Shows on here though??? Weird inbound esp sas: spi: 0x993F646F(2571068527) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2099, flow_id: ESG:99, sibling_flags FFFFFFFF80004048, crypto m ap: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4607971/2649) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8772CE32(2272448050) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2100, flow_id: ESG:100, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4607982/2649) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) #20

Jump to:

Hot!Site To Site VPN between Cisco 4421 and Fortigate 100F

19 Replies Related Threads

Attached Image(s)