[c-nsp] Site to site vpn Cisco Router to Fortinet

[Joe Freeman]

Greetings-

I am trying to get an ipsec tunnel up between a cisco router and a Fortinet
200B for a customer. I've got IKE phase 1 completing, but phase 2 won't
complete because the router's proposal isn't matching the firewall's-


2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
mismatch
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: peer: type=7/7,
ports=0/0, protocol=0/0
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
local=0.0.0.0-255.255.255.255, remote=0.0.0.0-255.255.255.255
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: mine: type=7/7,
ports=0/0, protocol=0/0
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
local=XX.XX.XX.0-XX.XX.XX.255, remote=10.52.132.0-10.52.133.255
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
mismatch


I've been trying to figure out how to set the router to match, but since
I'm using a tunnel interface in ipsec mode, I haven't seen anything that
works yet. Here's the router config:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 8600
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
 lifetime 8600
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 8600
crypto isakmp key XXXXXXXXX address <firewall_ip_addr> no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set CPS_TSET esp-3des esp-sha-hmac
!
crypto ipsec profile CPS
 set transform-set CPS_TSET

interface Tunnel186
 description IPsec interface to Firewall
 ip address <XXXXXXX>
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination <firewall_ip_addr>
 tunnel protection ipsec profile CPS

I'm thinking I need an ACL and some way to apply it to the crypto profile,
but I haven't found anything like that for a tunnel interface.

Any thoughts or suggestions are appreciated!

Thanks-
Joe