Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mrmadgig
New Contributor

Created on ‎03-24-2021 05:40 PM

Site To Site VPN between Cisco 4421 and Fortigate 100F

Hello Everyone new here

New to FortiGate also.

 

I am having a major issue getting a site to site VPN up but first I would like to tell me

 

how do you ping the other gateway from the Forti CLI? I see ping option but I don't get it

 

execute ping-options source 10.10.111.254 10.222.221.16

command parse error before '10.222.221.16' Command fail. Return code -61

How do you write this syntax out completely to make it work?

Do you need to open ports in the firewall like Cisco e.g  ESP, IKE etc? before running the VPN wizard or custom? 

 

I cannot get phase 1 one to come up. 

 

Thanks

11231
0 Kudos
19 REPLIES 19
Toshi_Esumi
Esteemed Contributor III

Created on ‎03-24-2021 09:01 PM

Just like Cisco, use '?' for the options in any command lines, then you would see like below:

fg50e-utm (root) # exe ping-o source 10.10.111.254 ?  <Enter> So no further options are taken after the source IP because this command sets a specific IP for any pinging as its source. It takes only <Enter> after the source IP. Then you can run actual ping command. My ping can't get any response because your source IP doesn't exist on my FG50E. Also even if exists, it's not allowed by any policies.

fg50e-utm (root) # exe ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes ^C --- 4.2.2.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss For IPsec vpn debugging, you eventually need to learn how to run "ike debugging" explained in this KB:

https://kb.fortinet.com/k....do?externalID=FD46611

It's same as Cisco's "debug crypto xxx". So you can see what's failing during negotiations.

5034
0 Kudos
mrmadgig
New Contributor

Created on ‎03-25-2021 08:26 AM

Thank you Yes I did use the 

 

But I didn't understand that you had to hit enter and then execute another ping. Nowhere does it say that.

Thank you for the link. I will use this. 

5034
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to mrmadgig

Created on ‎03-25-2021 09:13 AM

I have to admit FTNT's documentation is not perfect for many users. But once you start using them, you can understand why they built those commands in the particular ways. It's just different from Cisco IOS, or others.

In the CLI document for "ping-option", it says "Use this command to configure behavior of ping." Most people would understand It doesn't execute "ping" with this command.

https://docs.fortinet.com/document/fortimail/6.4.0/cli-reference/936917/ping-option

 

5034
0 Kudos
mrmadgig
New Contributor
In response to Toshi_Esumi

Created on ‎03-25-2021 12:57 PM

I see what you mean but this is vague. 

 

I knew that also but it doesn't say you need to run another complete command to get the ping to work

 

eg. cisco#ping 10.10.10.111.254 source 10.10.111.222.254 repeat etc... 

ok now FGT execute (why even say this??? ping-option source <ip> now enter? it goes blank to another command line that is NOT intuitive. It feels as if you accomplished nothing. WTF

 

FGT# execute ping-option source x.x.x.x enter 

now right back at the beginning with flashing cursor

FGT#_   

 

What the hell happened? Ok I see?? I gotta guess that it need another 400 characters to ping something

 

No I disagree that most new people would know. 

 

anyhow thanks I appreciate it.

 

Can you please tell me on the FortiGate side what the equivalent of these are on the Tunnel custom config

 

crypto ipsec transform-set TestSet esp-3des esp-md5-hmac mode tunnel

 

 Is it just 3des and Md5?

 

Thank you

5034
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to mrmadgig

Created on ‎03-25-2021 05:31 PM

Once you set the "poing-options source", unlike Cisco, you don't have to type the same "so x.x.x.x" when you make multiple pingings. Until you change the option again. The same goes with "traceroute-opotions". That's an advantage.

 

Either phase 1 or 2 config, when you hit '?' after "set proposal" you can see all options. It's self-explanatory.

xxx-fg1 (Phase1_Name) # set proposal ? des-md5                       des-md5 des-sha1                      des-sha1 des-sha256                    des-sha256 des-sha384                    des-sha384 des-sha512                    des-sha512 3des-md5                      3des-md5 3des-sha1                     3des-sha1 3des-sha256                   3des-sha256 3des-sha384                   3des-sha384 3des-sha512                   3des-sha512 aes128-md5                    aes128-md5 aes128-sha1                   aes128-sha1 aes128-sha256                 aes128-sha256 aes128-sha384                 aes128-sha384 aes128-sha512                 aes128-sha512 aes128gcm-prfsha1             aes128gcm-prfsha1 aes128gcm-prfsha256           aes128gcm-prfsha256 aes128gcm-prfsha384           aes128gcm-prfsha384 aes128gcm-prfsha512           aes128gcm-prfsha512 aes192-md5                    aes192-md5 aes192-sha1                   aes192-sha1 aes192-sha256                 aes192-sha256 aes192-sha384                 aes192-sha384 aes192-sha512                 aes192-sha512 aes256-md5                    aes256-md5 aes256-sha1                   aes256-sha1 aes256-sha256                 aes256-sha256 aes256-sha384                 aes256-sha384 aes256-sha512                 aes256-sha512 aes256gcm-prfsha1             aes256gcm-prfsha1 aes256gcm-prfsha256           aes256gcm-prfsha256 aes256gcm-prfsha384           aes256gcm-prfsha384 aes256gcm-prfsha512           aes256gcm-prfsha512 chacha20poly1305-prfsha1      chacha20poly1305-prfsha1 chacha20poly1305-prfsha256    chacha20poly1305-prfsha256 chacha20poly1305-prfsha384    chacha20poly1305-prfsha384 chacha20poly1305-prfsha512    chacha20poly1305-prfsha512

 

5034
0 Kudos
mrmadgig
New Contributor
In response to Toshi_Esumi

Created on ‎03-26-2021 07:04 AM

Now I see... Yes I agree that is an advantage! don't have to retype same thing over again.

 

Ok I have been trying for 4 days to get Phase 1 tunnel up with no success. I have only created VPN with Cisco to Cisco in the past and FTG to FGT. I realize this is a ridiculous amount  of time t do this but is is a learning process for me.

 

Please forgive me for some of the silly questions. 

 

I was trying to see the encryption and authentication in the GUI so I never saw the nice command line you showed me

thank you.

 

Ok here is the silly question

 

You have two column in your command line 

 

I only see the 3des-MD5 and you highlighted them does this mean it is a given that the esp is just not necessarily shown?

Taken from my Cisco config below. What is the hmac? I do not see this in FortiGate

esp-3des            esp-md5-hmac

 

A better question for me is what is the best one's to use between a FGT and Cisco Router

 

 

 

Both sides keep retransmitting Cisco of course is Death by retransmission" failure. I have been configuring the FTG via GUI in 6.4.4 and I don't think this is the best way. Can you please advise on these settings:

 

 

 

5034
0 Kudos
emnoc
Esteemed Contributor III
In response to mrmadgig

Created on ‎03-26-2021 07:20 AM

ipsec is ipsec cisco to cisco or cisco to fgt is not that much different . IPSEC ESP is an open standard just match the ph1/ph2 and PSK and it should work.

 

 

Here's a sample ikev2 vpn cfg for ios

 

http://socpuppet.blogspot.com/2014/05/howto-asr-ios-xe-to-fortigate-ikev2_22.html

 

What have you done in regards to diagnostic on fgt and debug on ios?  Can you pop your configs here so we can look them over.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5034
0 Kudos
mrmadgig
New Contributor
In response to emnoc

Created on ‎03-26-2021 07:57 AM

Hi Ken

I agree but I am not sure exactly how to configure the Fortigate. I did run across your blog and was helpful very nice!

 

Yes I have done so many diags its making me confused. 

 

Here is output of the latest (20min ago) from the FortiGate. I don't now how to give you the FortiGate config

FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:2c79e6f0 ike 0:TestToCisco:8419:TestToCisco:2342: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020012C79E6F0000000FC01000014642F834F11E22E99D8D878397A19C8750A000034000000010000000100000028010304018772CC6A0000001C01030000800100018002A8C0800400018005000180030001040000141B29CA27D8817012DAFD6D427DD89B2A0500006470F9A8D3BE98E4D43599D2F6AB59DFD4FC8A5301159A7BC36A565A512CC1F493827F9D1C4A07BF48CBE9490E28755726A658CFE1EA03E583B17923C2376BD8CD428B21A4D3EE37CF233CB1B4D313EFDFCB6B0285856626459B78D922B7CED9480500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020012C79E6F000000104C7CA4D41C7AE844115AD088E0F23EEDD60F8CA6CAE5422ADD1DF97A4F39F48E8412332E9D1C23A27D59506626972C9E17E12B8E9373FDF28E329F01F53104FD196A9212A96A6C8B951055FAF308DD6E3F1AE5212BC9E7A822429D30498BC09ECA0A9C4D5BE5D4281F11D15FD75E40BDBEB9404A9B9137DE6F4F4360CB78BF36BF69B780362A9045B4E6AA2A782C991144092DB21445747CB6528C6F52C400852579448B5542C1C932D23FFA26841BDE5EBBED76825E7CD53D1147619171D946B1E5CA61EB99D0EBCA745C71AF6D8C61ECE4046663DE77A13B72E22A9743D38E7DC0B43BB0BDE55A8 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:2c79e6f0 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:095e1700 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501095E170000000054E5680DA1B598702A2D29E29B3B877CAECABC89AEFC76C5A612B7E3256B8274D56C15BB556E989A0FFBE4C92C5BD7FC0C172AD89357B963C5 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501095E1700000000540B0000148390A5991B91A36E99876DBC8CF8026E0000001C000000010304000E8772CC6A0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2342: IPsec SPI 8772cc6a match ike 0:TestToCisco:8419:TestToCisco:2342: delete phase2 SPI 8772cc6a ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:430fdc29 ike 0:TestToCisco:8419:TestToCisco:2343: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001430FDC290000011C01000014C9C9A256E62EEA5AB50FF7725EFA8DF70A000034000000010000000100000028010304018772CC6B0000001C01030000800100018002A8C08004000180050001800300020400001476D3394610E67AD0F52AFC0A35C0BD4905000084999703F23585574871E0243C9CB7259BA7C773C7CF4EBB4E2781BDCDC83A5E1173306E868D24DAA0B1817EADCD7C62362F388F7C2BFC4A04BF1D30858C8C5FA06315B3AE63D4666678B172B8B6B5B813A55C24BF2F0CB403D2051433249B237E04B29F2B494A1DB267FB9BFB79E2568861EF3BFA53752899D529B7E6E78D9E620500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001430FDC29000001247E9E3CB355BF68B89BF0DB8A5B5D9D229C3388C617659C2D6EA5477BB80ECA43BA1125465721E6C12B0052F1162A712B7EFDE4560094F0B205C6109C4D33683440808CFBCC6D47A83CFECEAD87778734B4BB22ADB11CA8127971BFD7BC9E456CA3EDCB37A77939427F93C9A2EE9D7C5A37455278A3209D46A169D2E0F962B2F634B3CE9A85CCDD474B368AFAEF2DD3DFECA45F10A114E68F9E1035BD9093DC407AB7B784BF1CE220AA37477F64C07C2A605D7F0B3E65496AB192092ABD8599AED9BE85E7B7A4F5833975A0153231C376686E782150AAC4679A65D0BEBDBCCBC4415433024EB6BF604D13E595F7349EBCA03E03F8EA2A7201DC1DA911FB151552E6A2E2BF835B96D9 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:430fdc29 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:a8efb6d6 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000545F21E6DF6848312F43848840697D1A365A611DC169FFBCAC7004C287CD49FE482F5DBFD29692E53CCE38E9868A22213675D77ABB091AA617 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501A8EFB6D6000000540B0000142133CB437B790A3EE0D5CBC7B851DC980000001C000000010304000E8772CC6B0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2343: IPsec SPI 8772cc6b match ike 0:TestToCisco:8419:TestToCisco:2343: delete phase2 SPI 8772cc6b ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:ac5c3ef8 len=372 ike 0: in E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF800000174E4256AD5994CEB6D46B8957D4D7F36D872765BD6C4D8BBAEB97D0BEDCE47576A047CC60452934257581A250635667DE9B06E2057DBBAE7B6A09BD9119CE0194B2529E2D5BC0F563CC1903F20B308ACA8FA10A8469F4E9523E4EFD1F461D8652AA822D10C0A7BD2E8B1FF558BC1096B8657FEA1A1F80414C72C65F4EC10177719DEE82D34CE0CC4B7CAE68E06C37EC17368F7A9672AAD6FBDA9BEB8D52E67D7F4E04466B3C87017190457F7206B93CD6D70982EE5F480D84DF918B25DFAC33EE80730498FABB88D4FD09E462DC4899CA8E0D2ED8A0BFEAEBBE742FB020AA6CEAEE9B539415BF065C41ED52D9B4567D5BB07B2F4429292E219544125DBFD7AB395998843056F52546E62E3280A02652DC45A0E4FBC243BFD8533FD8161064634A1B117BE3A78E681320429D402934FDD4C5E534C81185DD442C4D3C38B507335E67FC67B965B2E650F36134329BEF621274112D37AF9D2F0D0 ike 0:TestToCisco:8419:2344: responder received first quick-mode message ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808102001AC5C3EF80000017401000014F6637A018BA26F9B57C86B800D13EA4A0A00004000000001000000010000003401030401B857445E0000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001812D887BE033F66505FEC6E63332409B953B17F2C050000C4183E20FE53D77105299300D3AA9B64F27A8325EF5F6DA543D2F491B503C24E19D268AC8A62A3CDD0E34FC96023E578E50F3357D1DCD8BD46B6542729E454E6BCA8E0BAFDBFED9A4399A037A0AB676F09422D070C9341C122AC331CFA5BD02DD95847D5FCE8C922FEE1496437D70CAE067677DC37612BE9083D7BC0CF3AE420CEE3F47FA9E72E2D467A3DF03901AC0ECA056A3E09A5A186786E32D6D5790343AA6375C0286E542C58E53FF377A440C907A1D490D161B7056E8BAD29C7DFF8F51005000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8419:2344: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8419:TestToCisco:2344: trying ike 0:TestToCisco:8419:TestToCisco:2344: matched phase2 ike 0:TestToCisco:8419:TestToCisco:2344: autokey ike 0:TestToCisco:8419:TestToCisco:2344: my proposal: ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 2 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 2: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 1 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: incoming proposal: ike 0:TestToCisco:8419:TestToCisco:2344: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2344: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2344: PFS DH group = 5 ike 0:TestToCisco:8419:TestToCisco:2344: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2344: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2344: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2344: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2344: no SA proposal chosen ike 0:TestToCisco:2344: info_send_n2, type 14, peer SPI b857445e ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA000000400B000014DF90C33E1D5CB023CFED41CC793B962D00000010000000010304000EB857445E ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808100501A422D4DA00000044F58C08CCB5F7CF162A08803D302F852654593C59C78A5DAD81679CDE60BFCB95DA60313A42F12E28 ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:a422d4da ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:7734a7fe ike 0:TestToCisco:8419:TestToCisco:2346: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020017734A7FE000000FC01000014E59263C79CB39D9F64A0E4C0D296C99B0A000034000000010000000100000028010304018772CC6C0000001C01030000800100018002A8C080040001800500018003000104000014F7F0F96C6057ADE3DD6490031D1AEADB0500006451765C7A0F761528EAB2057EAC49C26E57DE3695AF52181C7A7D62AE698293E5FF42A668E21C30A24251E0DCBEAD6618646AC97DC25769867ADC667DA1478CF4D1E4DAC09E084A314E2203A51338A5DBBBCB26AD53B12DBBD6A354862D1A6F9A0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020017734A7FE00000104FCBEB8BA845EFDCA9777DCDF7CD23305ADA17EDD8193207494BA44A4E02DC12F44C236DF9D84931A83A8B15DAA580F68F392D1BD1F7712653C18E899CDE626581776702D65E6902409EECD87C27C234A8D0819BFA425EC01A48563DD26D0A23DC72BECCD931C82230A091A4F1CDD55AC60649C81AB3D037B3B92E56B60E8B86B512C4232FEF31C23A97C96BE12BE5621030B7A43B006E45870A449CD4366F9A16A6B97A2A7EE0379BD5B01511EFEE219AFAB027ACB1616CB96C43C7840702A803BF6997724355548D30CB500B9F863723FFE2A2D1FAE59583A42C97D8DA222BE249FF1DBA6A63E9A ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:7734a7fe ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:1b71c169 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000543FD48B14CDD69F904F71CDD530251FAA5FD15DFAD516251ADC6713B845909A8C20202DC183C7ACA69A7FA08BC811E649B7AACB2D291D6452 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005011B71C169000000540B000014FF287F9F70709A2E86888FBB2CE006220000001C000000010304000E8772CC6C0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2346: IPsec SPI 8772cc6c match ike 0:TestToCisco:8419:TestToCisco:2346: delete phase2 SPI 8772cc6c ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:6ded900b ike 0:TestToCisco:8419:TestToCisco:2347: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020016DED900B0000011C010000144DABBA48E8643A0C8A49FAA6B94581080A000034000000010000000100000028010304018772CC6D0000001C01030000800100018002A8C0800400018005000180030002040000146009F00211B216F0A196616CEC2A9FC00500008413DE6215E27F41550EB44360A01ED289728D41426B0C805366BC76AC26F3C1D6969B6E1075F5E5A81E360161296F1E03A3D5AD80B9E4B20B76896739B82DFC77E0F3EA032278F5AF9F78F2ECCEDD68593C6F6627A22E04C3701601B02EE15F54CA12263159BA058D396714EBF97E31D5E761CA3F1C8DD274958FDA1D29B8CD590500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020016DED900B00000124C58102521A586AF396ACC6C8B3626EA0686FF3B659A4546CA99A2CF3C2AD6FF197F02B1529D208CA217A0729C9B34894937FD9A1E7EC09EC6C35FBD9DA7DE6D04D217B4910BC164166D2C11FD389856E78822D467FB6E117028962AC502C53370219E4FF79CB9A5C3EDD72F34FD55554872242171D0B44A9124BD3DFD157CF8D7516D3FAD4ABF6080080994860A2372F7C7C7488CC5BDB3C5BFAE392592E379372196EB789BB113D1014F26B3B16A02AA89941D9B9CC707718864BF5CECE0AA9E64888DDEEFEA29E7368A33D3AF2B367F33998F8C55E1AB9F8DB0830104E7C0C7D484BC0ABBC08CAD1057452FCE295B78306EFD4C3C32AF33AA9399137C4AC75A201A2D5DBF2FA01 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:6ded900b ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:9003ece1 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019003ECE100000054D116CBBCA4F253AB44A2DE551B6CDD81BC77DDB55C4BF513893D16CB63A990BF2A1C3EE92687ED93C5C45E21F4655F154A5780CE1DDC3AB2 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081005019003ECE1000000540B000014D1F615E7D6951B45C1FC42D5A3EB660F0000001C000000010304000E8772CC6D0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2347: IPsec SPI 8772cc6d match ike 0:TestToCisco:8419:TestToCisco:2347: delete phase2 SPI 8772cc6d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:93edfc52 ike 0:TestToCisco:8419:TestToCisco:2348: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810200193EDFC52000000FC01000014DA0836AFEA7F8E91D8A3606A624424080A000034000000010000000100000028010304018772CC6E0000001C01030000800100018002A8C0800400018005000180030001040000140E217CBDC76781A3A8A55DD8C35FF450050000648F844C4E598701EC61C1C116002D148AE8D01ABC520453D2D87335B1F946D72CE426188642635D07EA1A70D49B85EF1920780E0CE58D31EED7FF3B947C45E58F7B424F3948DACB3AE90F212A35314B1CF8B3621FB0B7546C382CD7B0015A018A0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810200193EDFC5200000104C190B42142AEA0BA6B7E6DA34C3CB38643086D6CD9EF8F7D3A51D760C262A5C7C11A888D6085BEB81BBD3CF2F37567BD7692B3D06A72FF0E53D2D75F085F8A3C94A392ACFC9B7F2E71A4C3C195D8490F6CDE4AF4A2E59E719E0843B5EEBD4DADB8019E3F5DD175A843D23DA8730D3DB99BC586D52C30FDFD9D623B2A969D961584FE7F0EF745DF894B1103B65F603FB121C9D429935CA2ADAFFCE410D647F27B0CC5FD9570893BBA6F9DA6FB7A006320B566C8DD4F85C6972360604204835C43807B88A4C04ECF0C54882DB7E64D4D9F028A936ABCB12AB0C418D6BE152774617CBFD19CB62C899F ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:93edfc52 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:efdd7180 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501EFDD718000000054D25281361AE00AA7727737DDFA2EFF4B6B01C86ABFCFA0C2DA380A78A6F12B51086D74B7A30DD35C49174A900BC7D66373C40562ECF08651 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501EFDD7180000000540B000014028DEA19B2680A5483FDD27957584A4C0000001C000000010304000E8772CC6E0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2348: IPsec SPI 8772cc6e match ike 0:TestToCisco:8419:TestToCisco:2348: delete phase2 SPI 8772cc6e ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:5b3ce712 ike 0:TestToCisco:8419:TestToCisco:2349: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC58081020015B3CE7120000011C01000014AEBB7CFD8A72B51E68E2139CDD8676E90A000034000000010000000100000028010304018772CC6F0000001C01030000800100018002A8C0800400018005000180030002040000140529F1684B8A0D020EAC9CBB4A6A91B105000084DE99460056907B0F178C3D5F61AEC79A86FEBA6D001E27EF4620B97389F942BE6794C2E31E72F49687BA2555FA48826EDD2DD0C6D097B6E1489D0F3680A71E7BB9B85800186611D01ED07CAE8A603E4820EB7823A417D4F4CE57B97AF919A2E270B5A986DD7EB1F00A80DEC179FD5D814203A6E656720B0C43D7057F7A2558610500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC58081020015B3CE712000001244A63B48A856F8F9A7C709F80124E7ECCD394AAFBA28B89EC93B4FA4A81FC5A1C6EF791B5BCC894BAA5E05BEBCA3C5082705458D0C895910AE70A5AD43EA1860DD921E8E0F66F0E234EB1ADCDAEE4DC1E189C9B2A3D3DAF6661935A218005FB16E170DFF933D8CC5283DA3784526C78FFA21E76C4F9D80006440E3B6465F8B473B4763A2FB65CF92D198E3623D5F0F1DCEB36FE2D8FCAC2EA889769054FDDCAB475C9EDFD75A7BB200DFC1EF201F0191BDE49396E570DD6A1A0648419EC442AB33FD58BFA818F14369722D570FE6E4F2A2FE7D7186A379AE6794A13C395C1C075A4C73E0DA2E877081A585478788B10E0C5ABA84B058DF2C33E8DFD554348F1FFD9A56A5320A870F4 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:5b3ce712 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:d6f9f483 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501D6F9F48300000054F6440D75353FBEB038B7DF6E92966CD8BEE4058D4E8D3D29B77C2335A214A784B3366B99B0390C9021D621881EFE56FF90E90E39D08F3679 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501D6F9F483000000540B0000142225AFCBB9BF6CA1429F476BA1AFAB2E0000001C000000010304000E8772CC6F0A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2349: IPsec SPI 8772cc6f match ike 0:TestToCisco:8419:TestToCisco:2349: delete phase2 SPI 8772cc6f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:a0ad94c5 ike 0:TestToCisco:8419:TestToCisco:2350: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C5000000FC010000144F903F723D5FA049271EA3EA5D285EF10A000034000000010000000100000028010304018772CC700000001C01030000800100018002A8C080040001800500018003000104000014CBC7B9EDCEDB5FB661FE6C9712EB131E050000643228D5849420D2D669559845FC406405D2FE74BE996205AC439624B7034B63C05A09620DD78A0E5FE1F993B40782AFD2DA6AB0C73CF62CA82137F85ABC30DADB09D1E6981295C07F946251AB2DDC2DF865E39FCE493E7CE957DA39A2D3416A000500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001A0AD94C500000104283F12122150DDE2ED09FF23225BDBFCAE5DFD204C221F6C7ACA0F81B7A1267CEEF8CA9B757AF8DC55D1171519728ACD5C78BA6076A74E801BEE12F1FD865E689E83DD71697D76296458D3AC26AED30A25A5B3D5B1D7D91A8BA1D9027AA32381CDC34874104381D78286A198DC9CB3E2A312D2BD55C5530C3407B3BA98C089D4948CAE9A899675C5435B6C748379E2D4AC4CFAA1E27B9174992DBBAD201C274D461E81D5B40CEC7923F1DE179716825F541D12E11CB06765939CB4B0D41852AB9B2F54A7BE8FEFCA8544D833C028BB19821932F4188D827943CFB346AC0CB4CA4B3E1F008BC6BF48 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=260, id=e0a58579a166e701/1318bf0ce01dec58:a0ad94c5 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:865ea391 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC5808100501865EA39100000054A3F362F18FA5DB4E9107FB801DAEAEADBD9A795E2D4627A45A006C7A0E4B1A5A191242A916765D311DE51D2D3057466C86C413CB14F097D9 ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC5808100501865EA391000000540B000014C6CDDDBBF54CF092F9BBF29E08D183C60000001C000000010304000E8772CC700A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2350: IPsec SPI 8772cc70 match ike 0:TestToCisco:8419:TestToCisco:2350: delete phase2 SPI 8772cc70

FORTIGATE # FORTIGATE # FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8419: cookie e0a58579a166e701/1318bf0ce01dec58:d5bbad4c ike 0:TestToCisco:8419:TestToCisco:2351: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C0000011C01000014B71BCC55BCF3243C560638B2B0B808030A000034000000010000000100000028010304018772CC710000001C01030000800100018002A8C0800400018005000180030002040000147CDA42BC6DE11D8B37DA3AD6CFA19F7C0500008494A25E5B4604053850C6A44946F79CC7B5D8C3280338A9FC2DFC2F822967498B64DC3D88F2473B1535D4E13D1FED648EB5E32380802BF53BB2A5BC859AADA715347681EAF0D64FC0A049C5A4FC3DB919B592A65B598080319C5C0E3950758C1C2E2BE9BCF7B1E9906990275436C06B46B48B4ABCB63A44362E0CD45EE93E545F0500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC5808102001D5BBAD4C000001240FC452C3AC0265998E238ACDEDFB3855F35A461AD5F5567D941D3B9F71B9467CC779F780C3DD2562C8165A3461F7630482B23BAEFBD1A93E0F5B0922A605EA962421CD08E6418F72071A2543988081BD9998F3D96A5ABFBF439EF84A25A0C687799EBFB0F8F048C64DC91841484C6CB8B7393F504F1D2CBB96FDA46AB1BBE42294441E185468A109F583BBFFC9E9C041375FAEF48DD82C851BA3AFDA2CFA0B37B6DDDE80A8FCD4262F3F88743B9D5FDA268DD0D446280673B7B3C18EB3096D48ACAB4A4A92CFF0E6144CAF0590473517AE844604737DC9832A4B7ED9EBDF83C02040E15A682517D81CF8490C43654F2C33BF82E0844E8CE643B97F81982747ABED62AD706BDA0F28 ike 0:TestToCisco:8419: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=292, id=e0a58579a166e701/1318bf0ce01dec58:d5bbad4c ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=e0a58579a166e701/1318bf0ce01dec58:97449610 len=84 ike 0: in E0A58579A166E7011318BF0CE01DEC58081005019744961000000054D3B78F2AADC44A89FA432BA61445F46A8B5085416455CE917770C6F7F7311F345EE6EF8F6CE7A2765E36D809474FF8EF6AEB60A1FA2D9A0E ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC580810050197449610000000540B00001493F7090B12AE3559E9D2795DB14278B10000001C000000010304000E8772CC710A00003400000001000000010000000000000000 ike 0:TestToCisco:8419: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8419:TestToCisco:2351: IPsec SPI 8772cc71 match ike 0:TestToCisco:8419:TestToCisco:2351: delete phase2 SPI 8772cc71

FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # FORTIGATE # diagnose debug disableike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=e0a58579a166e701/1318bf0ce01dec58:6403040c len=372 ike 0: in E0A58579A166E7011318BF0CE01DEC58081020016403040C0000017424DBF69B5DC275E4E2F6AC72F465D9EC60FDC3269DC0FB24766365D595D967BDA70A358090F622A1A6A2E07A0114C7105FEBA2E9C64A99B51C9441AEB05604039193813322D0748745036D961D65F5AAE8103A2FE4F180BD6BF4902F6303D769C7317D6D00C1917FA57941E5E4545E3E66487011F82D824D99D21AB359044255F525E452EAA26AF06B39734DD2D98A8DE84BBA1A8AC3D79E7EA9B60A4EDD4E53C2EFF1DC121EF19E350750CFC7D30AC3F72A8DF47911FA4B321FED76D7CAA5AC5FD9F25E2FBFC2864A551C7D8558BD2423AB81587556D231BBCABB7D9388BAA31DBA0D584125C7DAA1FF578A97D03D004A8D68BA29B138EC115728404FC3F5996D2603842816A71E28BA99F25A3D1C39888ABF614CE44B849501366B6DAA497EC6E52B0483B9D9A6D38D49EE42C309882A2FFE3F7F3F38754156433AD8236313E4BEE7DF170B4D6AE467E81A6C9938192A311F92FD17ABE8 ike 0:TestToCisco:8419:2352: responder received first quick-mode message ike 0:TestToCisco:8419: dec E0A58579A166E7011318BF0CE01DEC58081020016403040C00000174010000141D10ADB5D4A1AF149E6DF682C5A986110A00004000000001000000010000003401030401BA0C1FA70000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018DCC6FFAF624B0BE390E7ADA16F557C57556C3D48050000C46C0E643AA6D748C2075F11652758D3395D18E5FEDEA48D9D97E0CF551F46A28F4AE78F39E47610A3107C2165134FC71F2B82DAFE5144D9AEEBFE05B012A874F7FB1DEBFEC16BCB2010FCD1392FAB6F273A8B651B924D2F1FB26A11D0331000E78D4DE438A9CC3574FB606D2ABDBFFD4612920DF4CA350D3DD95B538017526BCAF52C9DC7F81D6C1D1BC542DAC0F9FB4D8ADACD83848D9F4FC2128767ECDDB80F2BCF5E3EE85A7B676C498FEACA481CB78D1DCA72493A2FA151EEF94768CA6E6E05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8419:2352: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8419:TestToCisco:2352: trying ike 0:TestToCisco:8419:TestToCisco:2352: matched phase2 ike 0:TestToCisco:8419:TestToCisco:2352: autokey ike 0:TestToCisco:8419:TestToCisco:2352: my proposal: ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 2 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 2: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 1 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: incoming proposal: ike 0:TestToCisco:8419:TestToCisco:2352: proposal id = 1: ike 0:TestToCisco:8419:TestToCisco:2352: protocol id = IPSEC_ESP: ike 0:TestToCisco:8419:TestToCisco:2352: PFS DH group = 5 ike 0:TestToCisco:8419:TestToCisco:2352: trans_id = ESP_3DES ike 0:TestToCisco:8419:TestToCisco:2352: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8419:TestToCisco:2352: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8419:TestToCisco:2352: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8419:2352: no SA proposal chosen ike 0:TestToCisco:2352: info_send_n2, type 14, peer SPI ba0c1fa7 ike 0:TestToCisco:8419: enc E0A58579A166E7011318BF0CE01DEC580810050100DCF74E000000400B0000142B1581DBF1D3AA3EDC336794C2DCBBA800000010000000010304000EBA0C1FA7 ike 0:TestToCisco:8419: out E0A58579A166E7011318BF0CE01DEC580810050100DCF74E0000004429B41D74763307BD926AB02CBC1461BDEE103ED18E48FE3E28F04393B8DEE907DCCF7A9F8172AC86 ike 0:TestToCisco:8419: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=e0a58579a166e701/1318bf0ce01dec58:00dcf74e ike 0:TestToCisco:8419: error processing quick-mode message from 50.250.102.118 as responder

 

 

___________________________________________________________________________________________CCisco Config

 

ISR4221# ISR4221#sh run | begin isakmp crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key <did not post key> address 0.0.0.0  <<<<< any address on purpose ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile VTI set security-association lifetime seconds 86400 set transform-set TS ! ! interface Tunnel0 ip unnumbered GigabitEthernet0/0/1  <<<< this was numbered at one time.  zone-member security LAN tunnel source 50.250.102.118 tunnel mode ipsec ipv4 tunnel destination 73.107.235.45 tunnel protection ipsec profile VTI

 

 

debug :

 

IPv4 Crypto ISAKMP SA dst src state conn-id status 50.250.102.118 73.107.235.45 QM_IDLE 1191 ACTIVE 50.250.102.118 73.107.235.45 MM_NO_STATE 1190 ACTIVE (deleted)

 

 

ISR4221#debug crypto isakmp Crypto ISAKMP debugging is on ISR4221# ISR4221# ISR4221# ISR4221#term mon ISR4221# *Mar 26 15:07:46.955: ISAKMP: (1181):purging node 3040338059 ISR4221# *Mar 26 15:07:50.025: ISAKMP: (1182):purging node 2511836437 ISR4221# *Mar 26 15:07:51.818: ISAKMP: (1182):set new node 0 to QM_IDLE *Mar 26 15:07:51.818: ISAKMP: (1182):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) *Mar 26 15:07:51.818: ISAKMP: (1182):sitting IDLE. Starting QM immediately (QM_IDLE ) *Mar 26 15:07:51.818: ISAKMP: (1182):beginning Quick Mode exchange, M-ID of 828670928 *Mar 26 15:07:51.830: ISAKMP: (1182):QM Initiator gets spi *Mar 26 15:07:51.831: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE *Mar 26 15:07:51.831: ISAKMP: (1182):Sending an IKE IPv4 Packet. *Mar 26 15:07:51.831: ISAKMP: (1182):Node 828670928, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 26 15:07:51.831: ISAKMP: (1182):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Mar 26 15:07:51.876: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:07:51.876: ISAKMP: (1182):set new node 4149256254 to QM_IDLE *Mar 26 15:07:51.876: ISAKMP: (1182):processing HASH payload. message ID = 4149256254 *Mar 26 15:07:51.877: ISAKMP: (1182):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 3648703813, message ID = 4149256254, sa = 0x80007F7B66C74EB0 ISR4221# *Mar 26 15:07:51.877: ISAKMP: (1182):deleting spi 3648703813 message ID = 828670928 *Mar 26 15:07:51.877: ISAKMP-ERROR: (1182):deleting node 828670928 error TRUE reason "Delete Larval" *Mar 26 15:07:51.877: ISAKMP: (1182):deleting node 4149256254 error FALSE reason "Informational (in) state 1" *Mar 26 15:07:51.877: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 26 15:07:51.877: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISR4221# *Mar 26 15:07:56.954: ISAKMP: (1181):purging SA., sa=80007F7B718E3100, delme=80007F7B718E3100 ISR4221# *Mar 26 15:08:02.084: ISAKMP-PAK: (1182):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:02.084: ISAKMP: (1182):set new node 2898857848 to QM_IDLE *Mar 26 15:08:02.085: ISAKMP: (1182):processing HASH payload. message ID = 2898857848 *Mar 26 15:08:02.085: ISAKMP: (1182):processing DELETE payload. message ID = 2898857848 *Mar 26 15:08:02.085: ISAKMP: (1182):peer does not do paranoid keepalives. *Mar 26 15:08:02.085: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45) *Mar 26 15:08:02.085: ISAKMP: (1182):deleting node 2898857848 error FALSE reason "Informational (in) state 1" *Mar 26 15:08:02.085: ISAKMP: (1182):set new node 2594725701 to QM_IDLE *Mar 26 15:08:02.085: ISAKMP-PAK: (1182):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE *Mar 26 15:08:02.086: ISAKMP: (1182):Sending an IKE IPv4 Packet. *Mar 26 15:08:02.086: ISAKMP: (1182):purging node 2594725701 *Mar 26 15:08:02.086: ISAKMP: (1182):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Mar 26 15:08:02.086: ISAKMP: (1182):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Mar 26 15:08:02.086: ISAKMP: (1182):deleting SA reason "No reason" state (R) QM_IDLE (peer 73.107.235.45) ISR4221# *Mar 26 15:08:02.086: ISAKMP: (0):Unlocking peer struct 0x80007F7B724717F0 for isadb_mark_sa_deleted(), count 0 *Mar 26 15:08:02.086: ISAKMP: (0):Deleting peer node by peer_reap for 73.107.235.45: 80007F7B724717F0 *Mar 26 15:08:02.087: ISAKMP: (1182):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 26 15:08:02.087: ISAKMP: (1182):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Mar 26 15:08:03.094: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (N) NEW SA *Mar 26 15:08:03.094: ISAKMP: (0):Created a peer struct for 73.107.235.45, peer port 500 *Mar 26 15:08:03.095: ISAKMP: (0):New peer created peer = 0x80007F7B724717F0 peer_handle = 0x8000000080000C4C *Mar 26 15:08:03.095: ISAKMP: (0):Locking peer struct 0x80007F7B724717F0, refcount 1 for crypto_isakmp_process_block *Mar 26 15:08:03.095: ISAKMP: (0):local port 500, remote port 500 *Mar 26 15:08:03.095: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F7B718E3100 *Mar 26 15:08:03.095: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 26 15:08:03.095: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Mar 26 15:08:03.095: ISAKMP: (0):processing SA payload. message ID = 0 *Mar 26 15:08:03.095: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.096: ISAKMP: (0):vendor ID is DPD *Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch *Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.096: ISAKMP: (0):processing IKE frag vendor id payload *Mar 26 15:08:03.096: ISAKMP: (0):Support for IKE Fragmentation not enabled *Mar 26 15:08:03.096: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.096: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch *Mar 26 15:08:03.096: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45 *Mar 26 15:08:03.096: ISAKMP: (0):local preshared key found *Mar 26 15:08:03.096: ISAKMP: (0):Scanning profiles for xauth ... *Mar 26 15:08:03.096: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy *Mar 26 15:08:03.097: ISAKMP: (0): life type in seconds *Mar 26 15:08:03.097: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 26 15:08:03.097: ISAKMP: (0): encryption 3DES-CBC *Mar 26 15:08:03.097: ISAKMP: (0): auth pre-share *Mar 26 15:08:03.097: ISAKMP: (0): hash MD5 *Mar 26 15:08:03.097: ISAKMP: (0): default group 2 *Mar 26 15:08:03.097: ISAKMP: (0):atts are acceptable. Next payload is 0 *Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:actual life: 86400 *Mar 26 15:08:03.097: ISAKMP: (0):Acceptable atts:life: 0 *Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa vpi_length:4 *Mar 26 15:08:03.097: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 *Mar 26 15:08:03.097: ISAKMP: (0):Returning Actual lifetime: 86400 *Mar 26 15:08:03.098: ISAKMP: (0):Started lifetime timer: 86400.

*Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.102: ISAKMP: (0):vendor ID is DPD *Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch *Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.102: ISAKMP: (0):processing IKE frag vendor id payload *Mar 26 15:08:03.102: ISAKMP: (0):Support for IKE Fragmentation not enabled *Mar 26 15:08:03.102: ISAKMP: (0):processing vendor id payload *Mar 26 15:08:03.102: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch *Mar 26 15:08:03.102: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Mar 26 15:08:03.103: ISAKMP-PAK: (0):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_SA_SETUP *Mar 26 15:08:03.103: ISAKMP: (0):Sending an IKE IPv4 Packet. *Mar 26 15:08:03.103: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 26 15:08:03.103: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Mar 26 15:08:03.140: ISAKMP-PAK: (0):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_SA_SETUP *Mar 26 15:08:03.140: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 26 15:08:03.140: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Mar 26 15:08:03.141: ISAKMP: (0):processing KE payload. message ID = 0 *Mar 26 15:08:03.146: ISAKMP: (0):processing NONCE payload. message ID = 0 *Mar 26 15:08:03.146: ISAKMP: (0):found peer pre-shared key matching 73.107.235.45 *Mar 26 15:08:03.146: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 26 15:08:03.146: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Mar 26 15:08:03.146: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Mar 26 15:08:03.146: ISAKMP: (1183):Sending an IKE IPv4 Packet. *Mar 26 15:08:03.147: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 26 15:08:03.147: ISAKMP: (1183):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Mar 26 15:08:03.178: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) MM_KEY_EXCH *Mar 26 15:08:03.178: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 26 15:08:03.178: ISAKMP: (1183):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Mar 26 15:08:03.179: ISAKMP: (1183):processing ID payload. message ID = 0 *Mar 26 15:08:03.179: ISAKMP: (1183):ID payload next-payload : 8 type : 1 *Mar 26 15:08:03.179: ISAKMP: (1183): address : 73.107.235.45 *Mar 26 15:08:03.179: ISAKMP: (1183): protocol : 0 port : 0 length : 12 *Mar 26 15:08:03.179: ISAKMP: (0):peer matches *none* of the profiles *Mar 26 15:08:03.179: ISAKMP: (1183):processing HASH payload. message ID = 0 *Mar 26 15:08:03.179: ISAKMP: (1183):processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 0x80007F7B718E3100 *Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status: authenticated *Mar 26 15:08:03.179: ISAKMP: (1183):SA has been authenticated with 73.107.235.45 *Mar 26 15:08:03.179: ISAKMP: (1183):SA authentication status: authenticated *Mar 26 15:08:03.179: ISAKMP: (1183):Process initial contact, bring down existing phase 1 and 2 SA's with local 50.250.102.118 remote 73.107.235.45 remote port 500 *Mar 26 15:08:03.180: ISAKMP: (0):Trying to insert a peer 50.250.102.118/73.107.235.45/500/, *Mar 26 15:08:03.180: ISAKMP: (0): and inserted successfully 80007F7B724717F0. *Mar 26 15:08:03.180: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 26 15:08:03.180: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Mar 26 15:08:03.180: ISAKMP: (1183):SA is doing *Mar 26 15:08:03.180: ISAKMP: (1183):pre-shared key authentication using id type ID_IPV4_ADDR *Mar 26 15:08:03.180: ISAKMP: (1183):ID payload next-payload : 8 type : 1 *Mar 26 15:08:03.181: ISAKMP: (1183): address : 50.250.102.118 *Mar 26 15:08:03.181: ISAKMP: (1183): protocol : 17 port : 500 length : 12 *Mar 26 15:08:03.181: ISAKMP: (1183):Total payload length: 12 *Mar 26 15:08:03.181: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Mar 26 15:08:03.181: ISAKMP: (1183):Sending an IKE IPv4 Packet. *Mar 26 15:08:03.181: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 26 15:08:03.181: ISAKMP: (1183):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

ISR4221# *Mar 26 15:08:03.182: ISAKMP: (1183):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 26 15:08:03.182: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISR4221# *Mar 26 15:08:05.155: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:05.155: ISAKMP: (1183):set new node 734805177 to QM_IDLE *Mar 26 15:08:05.155: ISAKMP: (1183):processing HASH payload. message ID = 734805177 *Mar 26 15:08:05.156: ISAKMP: (1183):processing SA payload. message ID = 734805177 *Mar 26 15:08:05.156: ISAKMP: (1183):Checking IPSec proposal 1 *Mar 26 15:08:05.156: ISAKMP: (1183):transform 1, ESP_3DES *Mar 26 15:08:05.156: ISAKMP: (1183): attributes in transform: *Mar 26 15:08:05.156: ISAKMP: (1183): SA life type in seconds *Mar 26 15:08:05.156: ISAKMP: (1183): SA life duration (basic) of 43200 *Mar 26 15:08:05.156: ISAKMP: (1183): encaps is 1 (Tunnel) *Mar 26 15:08:05.156: ISAKMP: (1183): authenticator is HMAC-MD5 *Mar 26 15:08:05.156: ISAKMP: (1183):atts are acceptable. *Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):IPSec policy invalidated proposal with error 1024 *Mar 26 15:08:05.157: ISAKMP-ERROR: (1183):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45) *Mar 26 15:08:05.158: ISAKMP: (1183):set new node 3385498750 to QM_IDLE ISR4221# *Mar 26 15:08:05.158: ISAKMP: (1183):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 9223512204992471792, message ID = 3385498750 *Mar 26 15:08:05.158: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE *Mar 26 15:08:05.158: ISAKMP: (1183):Sending an IKE IPv4 Packet. *Mar 26 15:08:05.158: ISAKMP: (1183):purging node 3385498750 *Mar 26 15:08:05.158: ISAKMP-ERROR: (1183):deleting node 734805177 error TRUE reason "QM rejected" *Mar 26 15:08:05.159: ISAKMP: (1183):Node 734805177, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 26 15:08:05.159: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_READY ISR4221# *Mar 26 15:08:07.164: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:07.165: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. *Mar 26 15:08:07.165: ISAKMP: (1183):retransmitting due to retransmit phase 2 *Mar 26 15:08:07.165: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# *Mar 26 15:08:11.174: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:11.175: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. *Mar 26 15:08:11.175: ISAKMP: (1183):retransmitting due to retransmit phase 2 *Mar 26 15:08:11.175: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission *Mar 26 15:08:11.441: ISAKMP: (1182):purging node 1730638449 *Mar 26 15:08:11.441: ISAKMP: (1182):purging node 3285571772 ISR4221# *Mar 26 15:08:19.184: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:19.184: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. *Mar 26 15:08:19.185: ISAKMP: (1183):retransmitting due to retransmit phase 2 *Mar 26 15:08:19.185: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# *Mar 26 15:08:21.818: ISAKMP: (1183):set new node 0 to QM_IDLE *Mar 26 15:08:21.818: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) *Mar 26 15:08:21.818: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE ) *Mar 26 15:08:21.818: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 202785673 *Mar 26 15:08:21.830: ISAKMP: (1183):QM Initiator gets spi *Mar 26 15:08:21.831: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE *Mar 26 15:08:21.831: ISAKMP: (1183):Sending an IKE IPv4 Packet. *Mar 26 15:08:21.831: ISAKMP: (1183):Node 202785673, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 26 15:08:21.831: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Mar 26 15:08:21.864: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:21.864: ISAKMP: (1183):set new node 2965253630 to QM_IDLE *Mar 26 15:08:21.865: ISAKMP: (1183):processing HASH payload. message ID = 2965253630 *Mar 26 15:08:21.865: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 4178712177, message ID = 2965253630, sa = 0x80007F7B718E3100 ISR4221# *Mar 26 15:08:21.865: ISAKMP: (1183):deleting spi 4178712177 message ID = 202785673 *Mar 26 15:08:21.865: ISAKMP-ERROR: (1183):deleting node 202785673 error TRUE reason "Delete Larval" *Mar 26 15:08:21.865: ISAKMP: (1183):deleting node 2965253630 error FALSE reason "Informational (in) state 1" *Mar 26 15:08:21.865: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 26 15:08:21.865: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISR4221# *Mar 26 15:08:35.195: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:35.196: ISAKMP: (1183):phase 2 packet is a duplicate of a previous packet. *Mar 26 15:08:35.196: ISAKMP: (1183):retransmitting due to retransmit phase 2 *Mar 26 15:08:35.196: ISAKMP: (1183):Quick Mode is being processed. Ignoring retransmission ISR4221# *Mar 26 15:08:41.878: ISAKMP: (1182):purging node 828670928 *Mar 26 15:08:41.878: ISAKMP: (1182):purging node 4149256254 ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221#un all *Mar 26 15:08:52.085: ISAKMP: (1182):purging node 2898857848 *Mar 26 15:08:52.251: ISAKMP: (1183):set new node 0 to QM_IDLE *Mar 26 15:08:52.251: ISAKMP: (1183):SA has outstanding requests (local 50.250.102.118 port 500, remote 73.107.235.45 port 500) *Mar 26 15:08:52.251: ISAKMP: (1183):sitting IDLE. Starting QM immediately (QM_IDLE ) *Mar 26 15:08:52.251: ISAKMP: (1183):beginning Quick Mode exchange, M-ID of 2615360766 *Mar 26 15:08:52.263: ISAKMP: (1183):QM Initiator gets spi *Mar 26 15:08:52.264: ISAKMP-PAK: (1183):sending packet to 73.107.235.45 my_port 500 peer_port 500 (R) QM_IDLE *Mar 26 15:08:52.264: ISAKMP: (1183):Sending an IKE IPv4 Packet. *Mar 26 15:08:52.264: ISAKMP: (1183):Node 2615360766, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 26 15:08:52.264: ISAKMP: (1183):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Mar 26 15:08:52.301: ISAKMP-PAK: (1183):received packet from 73.107.235.45 dport 500 sport 500 Global (R) QM_IDLE *Mar 26 15:08:52.302: ISAKMP: (1183):set new node 3172844811 to QM_IDLE *Mar 26 15:08:52.302: ISAKMP: (1183):processing HASH payload. message ID = 3172844811 *Mar 26 15:08:52.302: ISAKMP: (1183):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 726164641, message ID = 3172844811, sa = 0x80007F7B718E3100 ISR4221#un all All possible debugging has been turned off ISR4221# *Mar 26 15:08:52.302: ISAKMP: (1183):deleting spi 726164641 message ID = 2615360766 *Mar 26 15:08:52.302: ISAKMP-ERROR: (1183):deleting node 2615360766 error TRUE reason "Delete Larval" *Mar 26 15:08:52.302: ISAKMP: (1183):deleting node 3172844811 error FALSE reason "Informational (in) state 1" *Mar 26 15:08:52.302: ISAKMP: (1183):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 26 15:08:52.302: ISAKMP: (1183):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

5034
0 Kudos
emnoc
Esteemed Contributor III
In response to mrmadgig

Created on ‎03-26-2021 08:12 AM

Can you show the fortigate phase2 settngs? I have a hunch you have ofs enabled or something

 

/* cli 

 

show full  vpn ipsec phase2-interface < name>

 

The cisco stuff looks good fwiw but we need to make sure fortios is matching 

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5034
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.