[c-nsp] Site to site vpn Cisco Router to Fortinet

Alberto Cruz alberto.cruz at execulink.com
Tue Dec 11 11:34:37 EST 2012 

You can find help on the following links:

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf

http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-ipsec-40-mr2.pdf

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32864&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40856996&stateId=0%200%2040858146

Regards

Alberto

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Freeman
Sent: December-11-12 8:37 AM
To: Cisco-nsp
Subject: [c-nsp] Site to site vpn Cisco Router to Fortinet

Greetings-

I am trying to get an ipsec tunnel up between a cisco router and a Fortinet 200B for a customer. I've got IKE phase 1 completing, but phase 2 won't complete because the router's proposal isn't matching the firewall's-


2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors mismatch
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: peer: type=7/7, ports=0/0, protocol=0/0
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
local=0.0.0.0-255.255.255.255, remote=0.0.0.0-255.255.255.255
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: mine: type=7/7, ports=0/0, protocol=0/0
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
local=XX.XX.XX.0-XX.XX.XX.255, remote=10.52.132.0-10.52.133.255
2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors mismatch


I've been trying to figure out how to set the router to match, but since I'm using a tunnel interface in ipsec mode, I haven't seen anything that works yet. Here's the router config:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 8600
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
 lifetime 8600
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 8600
crypto isakmp key XXXXXXXXX address <firewall_ip_addr> no-xauth crypto isakmp keepalive 10 !
!
crypto ipsec transform-set CPS_TSET esp-3des esp-sha-hmac !
crypto ipsec profile CPS
 set transform-set CPS_TSET

interface Tunnel186
 description IPsec interface to Firewall  ip address <XXXXXXX>  tunnel source Loopback0  tunnel mode ipsec ipv4  tunnel destination <firewall_ip_addr>  tunnel protection ipsec profile CPS

I'm thinking I need an ACL and some way to apply it to the crypto profile, but I haven't found anything like that for a tunnel interface.

Any thoughts or suggestions are appreciated!

Thanks-
Joe
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list