[c-nsp] Site to site vpn Cisco Router to Fortinet

Kenny Kant akennykant at gmail.com
Thu Dec 13 08:28:49 EST 2012 

For some reason I don't think it's possible to do VTI to a non Cisco.  I may be wrong here but I think you will have to do crypto maps instead and define traffic on both ends.

Sent from my iPad

On Dec 11, 2012, at 7:37 AM, Joe Freeman <joe at netbyjoe.com> wrote:

> Greetings-
> 
> I am trying to get an ipsec tunnel up between a cisco router and a Fortinet
> 200B for a customer. I've got IKE phase 1 completing, but phase 2 won't
> complete because the router's proposal isn't matching the firewall's-
> 
> 
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
> mismatch
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: peer: type=7/7,
> ports=0/0, protocol=0/0
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> local=0.0.0.0-255.255.255.255, remote=0.0.0.0-255.255.255.255
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: mine: type=7/7,
> ports=0/0, protocol=0/0
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408:
> local=XX.XX.XX.0-XX.XX.XX.255, remote=10.52.132.0-10.52.133.255
> 2012-12-11 09:29:50 ike 1:SJCGW:324472:144706408: specified selectors
> mismatch
> 
> 
> I've been trying to figure out how to set the router to match, but since
> I'm using a tunnel interface in ipsec mode, I haven't seen anything that
> works yet. Here's the router config:
> 
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> lifetime 8600
> !
> crypto isakmp policy 5
> encr aes
> authentication pre-share
> group 2
> lifetime 8600
> !
> crypto isakmp policy 10
> encr aes
> hash sha256
> authentication pre-share
> group 2
> lifetime 8600
> crypto isakmp key XXXXXXXXX address <firewall_ip_addr> no-xauth
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set CPS_TSET esp-3des esp-sha-hmac
> !
> crypto ipsec profile CPS
> set transform-set CPS_TSET
> 
> interface Tunnel186
> description IPsec interface to Firewall
> ip address <XXXXXXX>
> tunnel source Loopback0
> tunnel mode ipsec ipv4
> tunnel destination <firewall_ip_addr>
> tunnel protection ipsec profile CPS
> 
> I'm thinking I need an ACL and some way to apply it to the crypto profile,
> but I haven't found anything like that for a tunnel interface.
> 
> Any thoughts or suggestions are appreciated!
> 
> Thanks-
> Joe
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list