[c-nsp] Site to site vpn Cisco Router to Fortinet

Joe Freeman joe at netbyjoe.com
Wed Dec 12 15:37:18 EST 2012 

I got the tunnel to come up on both ends after changing the quick mode
selectors on the FG200B to 0.0.0.0/0.

Now I'm having trouble getting traffic across it. I've got a policy in the
FG that allows any/any between the internal interface and the tunnel (both
ways). Traffic counters aren't incrementing on either policy. I've also
checked my static routes that send traffic to the tunnel on both sides.

Any debug I can run on the cisco end to let me see traffic there? IOS is
12.4 advanced, on a 2651XM with VPN aim, at least in the lab. Production is
a 2951 with 15.1. I"m trying to make this work in the lab so I don't screw
up the production traffic till I'm ready.

Thanks-
Joe

On Tue, Dec 11, 2012 at 3:01 PM, Joshua Morgan <joshua.morgan at gmail.com>wrote:

> I've only ever used crypto ACLs to match traffic on the Cisco side, not
> Tunnel interfaces. Don't use address groups as part of your Phase 2
> proposals on the FortiGate side... You will need to create individual Phase
> 2 proposals per 'address' pair.
>
> Josh
>
> Sent from my iPhone
>
> On 12/12/2012, at 3:34, Alberto Cruz <alberto.cruz at execulink.com> wrote:
>
> > You can find help on the following links:
> >
> > http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf
> >
> > http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-ipsec-40-mr2.pdf
> >
> >
> http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32864&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40856996&stateId=0%200%2040858146
> >
> > Regards
> >
> > Alberto
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Freeman
> > Sent: December-11-12 8:37 AM
> > To: Cisco-nsp
> > Subject: [c-nsp] Site to site vpn Cisco Router to Fortinet
> >
> > Greetings-
> >
> > I am trying to get an ipsec tunnel up between a cisco router and a
> Fortinet 200B for a customer. I've got IKE phase 1 completing, but phase 2
> won't complete because the router's proposal isn't matching the firewall's-
> >
> >
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
> mismatch
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: peer: type=7/7,
> ports=0/0, protocol=0/0
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> > local=0.0.0.0-255.255.255.255, remote=0.0.0.0-255.255.255.255
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: mine: type=7/7,
> ports=0/0, protocol=0/0
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> > local=XX.XX.XX.0-XX.XX.XX.255, remote=10.52.132.0-10.52.133.255
> > 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
> mismatch
> >
> >
> > I've been trying to figure out how to set the router to match, but since
> I'm using a tunnel interface in ipsec mode, I haven't seen anything that
> works yet. Here's the router config:
> >
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > lifetime 8600
> > !
> > crypto isakmp policy 5
> > encr aes
> > authentication pre-share
> > group 2
> > lifetime 8600
> > !
> > crypto isakmp policy 10
> > encr aes
> > hash sha256
> > authentication pre-share
> > group 2
> > lifetime 8600
> > crypto isakmp key XXXXXXXXX address <firewall_ip_addr> no-xauth crypto
> isakmp keepalive 10 !
> > !
> > crypto ipsec transform-set CPS_TSET esp-3des esp-sha-hmac !
> > crypto ipsec profile CPS
> > set transform-set CPS_TSET
> >
> > interface Tunnel186
> > description IPsec interface to Firewall  ip address <XXXXXXX>  tunnel
> source Loopback0  tunnel mode ipsec ipv4  tunnel destination
> <firewall_ip_addr>  tunnel protection ipsec profile CPS
> >
> > I'm thinking I need an ACL and some way to apply it to the crypto
> profile, but I haven't found anything like that for a tunnel interface.
> >
> > Any thoughts or suggestions are appreciated!
> >
> > Thanks-
> > Joe
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list