[c-nsp] Site to site vpn Cisco Router to Fortinet

Joshua Morgan joshua.morgan at gmail.com
Tue Dec 11 15:01:32 EST 2012


I've only ever used crypto ACLs to match traffic on the Cisco side, not Tunnel interfaces. Don't use address groups as part of your Phase 2 proposals on the FortiGate side... You will need to create individual Phase 2 proposals per 'address' pair.

Josh

Sent from my iPhone

On 12/12/2012, at 3:34, Alberto Cruz <alberto.cruz at execulink.com> wrote:

> You can find help on the following links:
> 
> http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf
> 
> http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-ipsec-40-mr2.pdf
> 
> http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32864&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40856996&stateId=0%200%2040858146
> 
> Regards
> 
> Alberto
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Freeman
> Sent: December-11-12 8:37 AM
> To: Cisco-nsp
> Subject: [c-nsp] Site to site vpn Cisco Router to Fortinet
> 
> Greetings-
> 
> I am trying to get an ipsec tunnel up between a cisco router and a Fortinet 200B for a customer. I've got IKE phase 1 completing, but phase 2 won't complete because the router's proposal isn't matching the firewall's-
> 
> 
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors mismatch
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: peer: type=7/7, ports=0/0, protocol=0/0
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> local=0.0.0.0-255.255.255.255, remote=0.0.0.0-255.255.255.255
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: mine: type=7/7, ports=0/0, protocol=0/0
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> local=XX.XX.XX.0-XX.XX.XX.255, remote=10.52.132.0-10.52.133.255
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors mismatch
> 
> 
> I've been trying to figure out how to set the router to match, but since I'm using a tunnel interface in ipsec mode, I haven't seen anything that works yet. Here's the router config:
> 
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> lifetime 8600
> !
> crypto isakmp policy 5
> encr aes
> authentication pre-share
> group 2
> lifetime 8600
> !
> crypto isakmp policy 10
> encr aes
> hash sha256
> authentication pre-share
> group 2
> lifetime 8600
> crypto isakmp key XXXXXXXXX address <firewall_ip_addr> no-xauth crypto isakmp keepalive 10 !
> !
> crypto ipsec transform-set CPS_TSET esp-3des esp-sha-hmac !
> crypto ipsec profile CPS
> set transform-set CPS_TSET
> 
> interface Tunnel186
> description IPsec interface to Firewall  ip address <XXXXXXX>  tunnel source Loopback0  tunnel mode ipsec ipv4  tunnel destination <firewall_ip_addr>  tunnel protection ipsec profile CPS
> 
> I'm thinking I need an ACL and some way to apply it to the crypto profile, but I haven't found anything like that for a tunnel interface.
> 
> Any thoughts or suggestions are appreciated!
> 
> Thanks-
> Joe
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list