Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN 2651 - fortigate 100

Reply
Thread Tools

VPN 2651 - fortigate 100

 
 
ginevra.jeremy@free.fr
Guest
Posts: n/a
 
      03-08-2007
Hi all,
I'm trying to create a vpn between my cisco 2651 and a fortigate 100
I've some problem, I think, when the vpn's 2 phase begins

Here my conf:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 35
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 40
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key <key> address <ip_pub_fortigate>
!
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
!
crypto map vpn 100 ipsec-isakmp
description
set peer <ip_pub_fortigate>
set transform-set 3des_md5
set pfs group2
match address 151
!
access-list 151 permit ip host 192.168.1.93 10.10.10.0 0.0.0.255
access-list 151 permit ip host 192.168.1.93 192.168.21.0 0.0.0.255
access-list 151 permit ip 192.168.11.0 0.0.0.255 192.168.21.0
0.0.0.255

....and here my debug...

*Aug 10 12:00:18.369: ISAKMP0:104:HW:2): processing HASH payload.
message ID = 0
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2):SA authentication status:
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2): authenticated
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2):SA has been authenticated
with <ip_pub_fortigate>
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2):: peer matches *none* of the
profiles
*Aug 10 12:00:18.373: ISAKMP: Trying to insert a peer <my_ip_address>/
<ip_pub_fortigate>/500/, and inserted successfully.
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Aug 10 12:00:18.373: ISAKMP0:104:HW:2):Old State = IKE_I_MM6 New
State = IKE_I_MM6

*Aug 10 12:00:18.377: ISAKMP0:104:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Aug 10 12:00:18.377: ISAKMP0:104:HW:2):Old State = IKE_I_MM6 New
State = IKE_P1_COMPLETE

*Aug 10 12:00:18.377: ISAKMP0:104:HW:2):beginning Quick Mode
exchange, M-ID of -948673120
*Aug 10 12:00:18.389: ISAKMP0:104:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) QM_IDLE
*Aug 10 12:00:18.393: ISAKMP0:104:HW:2):Node -948673120, Input =
IKE_MESG_INTERNAL, IKE_INIT_QM
*Aug 10 12:00:18.393: ISAKMP0:104:HW:2):Old State = IKE_QM_READY
New State = IKE_QM_I_QM1
*Aug 10 12:00:18.393: ISAKMP0:104:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Aug 10 12:00:18.393: ISAKMP0:104:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_P1_COMPLETE

*Aug 10 12:00:20.104: ISAKMP (0:268435560): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) QM_IDLE
*Aug 10 12:00:20.104: ISAKMP: set new node 311940652 to QM_IDLE
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2): processing HASH payload.
message ID = 311940652
*Aug 10 12:00:20.108: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in
notify message from <ip_pub_fortigate>
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2):incrementing error counter
on sa: IKMP_BAD_DOI_NOTIFY
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2): processing NOTIFY
PROPOSAL_NOT_CHOSEN protocol 1
spi 0, message ID = 311940652, sa = 857A617C
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2)eer does not do paranoid
keepalives.

*Aug 10 12:00:20.108: ISAKMP0:104:HW:2):deleting SA reason "recevied
fatal informational" state (I) QM_IDLE (peer <ip_pub_fortigate>)
input queue 0
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2):deleting node 311940652
error FALSE reason "informational (in) state 1"
*Aug 10 12:00:20.112: ISAKMP0:104:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY
*Aug 10 12:00:20.112: ISAKMP0:104:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_P1_COMPLETE

*Aug 10 12:00:20.112: ISAKMP: set new node 1841500615 to QM_IDLE
*Aug 10 12:00:20.116: ISAKMP0:104:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) QM_IDLE
*Aug 10 12:00:20.116: ISAKMP0:104:HW:2)urging node 1841500615
*Aug 10 12:00:20.116: ISAKMP0:104:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*Aug 10 12:00:20.116: ISAKMP0:104:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_DEST_SA

*Aug 10 12:00:20.120: ISAKMP0:104:HW:2):deleting SA reason "" state
(I) QM_IDLE (peer <ip_pub_fortigate>) input queue 0
*Aug 10 12:00:20.120: ISAKMP: Unlocking IKE struct 0x8566D144 for
isadb_mark_sa_deleted(), count 0
*Aug 10 12:00:20.120: ISAKMP: Deleting peer node by peer_reap for
<ip_pub_fortigate>: 8566D144
*Aug 10 12:00:20.120: ISAKMP0:104:HW:2):deleting node -948673120
error FALSE reason ""
*Aug 10 12:00:20.120: ISAKMP0:104:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
*Aug 10 12:00:20.120: ISAKMP0:104:HW:2):Old State = IKE_DEST_SA New
State = IKE_DEST_SA

*Aug 10 12:00:20.469: ISAKMP (0:268435560): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 10 12:00:45.117: IPSEC(key_engine): request timer fired: count =
1,
(identity) local= <my_ip_address>, remote= <ip_pub_fortigate>,
local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
*Aug 10 12:00:45.117: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= <my_ip_address>, remote=
<ip_pub_fortigate>,
local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xEE335F2A(3996344106), conn_id= 0, keysize= 0, flags= 0x400B
*Aug 10 12:00:45.117: ISAKMP: received ke message (1/1)
*Aug 10 12:00:45.121: ISAKMP0:0:N/A:0): SA request profile is (NULL)
*Aug 10 12:00:45.121: ISAKMP: Created a peer struct for
<ip_pub_fortigate>, peer port 500
*Aug 10 12:00:45.121: ISAKMP: Locking peer struct 0x856D0A24, IKE
refcount 1 for isakmp_initiator
*Aug 10 12:00:45.121: ISAKMP: local port 500, remote port 500
*Aug 10 12:00:45.121: ISAKMP: set new node 0 to QM_IDLE
*Aug 10 12:00:45.121: ISAKMP: Find a dup sa in the avl tree during
calling isadb_insert sa = 857AA938
*Aug 10 12:00:45.121: ISAKMP0:105:HW:2):Can not start Aggressive
mode, trying Main mode.
*Aug 10 12:00:45.121: ISAKMP: Looking for a matching key for
<ip_pub_fortigate> in default : success
*Aug 10 12:00:45.121: ISAKMP0:105:HW:2):found peer pre-shared key
matching <ip_pub_fortigate>
*Aug 10 12:00:45.125: ISAKMP0:105:HW:2): constructed NAT-T vendor-03
ID
*Aug 10 12:00:45.125: ISAKMP0:105:HW:2): constructed NAT-T vendor-02
ID
*Aug 10 12:00:45.125: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Aug 10 12:00:45.125: ISAKMP0:105:HW:2):Old State = IKE_READY New
State = IKE_I_MM1

*Aug 10 12:00:45.125: ISAKMP0:105:HW:2): beginning Main Mode
exchange
*Aug 10 12:00:45.125: ISAKMP0:105:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 10 12:00:45.810: ISAKMP (0:268435561): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 10 12:00:45.810: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
*Aug 10 12:00:45.810: ISAKMP0:105:HW:2):Old State = IKE_I_MM1 New
State = IKE_I_MM2

*Aug 10 12:00:45.810: ISAKMP0:105:HW:2): processing SA payload.
message ID = 0
*Aug 10 12:00:45.810: ISAKMP0:105:HW:2): processing vendor id
payload
*Aug 10 12:00:45.810: ISAKMP0:105:HW:2): vendor ID seems Unity/DPD
but major 233 mismatch
*Aug 10 12:00:45.814: ISAKMP: Looking for a matching key for
<ip_pub_fortigate> in default : success
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2):found peer pre-shared key
matching <ip_pub_fortigate>
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2): local preshared key found
*Aug 10 12:00:45.814: ISAKMP : Scanning profiles for xauth ...
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2):Checking ISAKMP transform 2
against priority 10 policy
*Aug 10 12:00:45.814: ISAKMP: encryption 3DES-CBC
*Aug 10 12:00:45.814: ISAKMP: hash MD5
*Aug 10 12:00:45.814: ISAKMP: default group 2
*Aug 10 12:00:45.814: ISAKMP: auth pre-share
*Aug 10 12:00:45.814: ISAKMP: life type in seconds
*Aug 10 12:00:45.814: ISAKMP: life duration (VPI) of 0x0 0x1
0x51 0x80
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2):Hash algorithm offered does
not match policy!
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2):atts are not acceptable.
Next payload is 0
*Aug 10 12:00:45.814: ISAKMP0:105:HW:2):Checking ISAKMP transform 2
against priority 15 policy
*Aug 10 12:00:45.818: ISAKMP: encryption 3DES-CBC
*Aug 10 12:00:45.818: ISAKMP: hash MD5
*Aug 10 12:00:45.818: ISAKMP: default group 2
*Aug 10 12:00:45.818: ISAKMP: auth pre-share
*Aug 10 12:00:45.818: ISAKMP: life type in seconds
*Aug 10 12:00:45.818: ISAKMP: life duration (VPI) of 0x0 0x1
0x51 0x80
*Aug 10 12:00:45.818: ISAKMP0:105:HW:2):atts are acceptable. Next
payload is 0
*Aug 10 12:00:45.826: ISAKMP0:105:HW:2): processing vendor id
payload
*Aug 10 12:00:45.826: ISAKMP0:105:HW:2): vendor ID seems Unity/DPD
but major 233 mismatch
*Aug 10 12:00:45.826: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Aug 10 12:00:45.826: ISAKMP0:105:HW:2):Old State = IKE_I_MM2 New
State = IKE_I_MM2

*Aug 10 12:00:45.830: ISAKMP0:105:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) MM_SA_SETUP
*Aug 10 12:00:45.830: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Aug 10 12:00:45.830: ISAKMP0:105:HW:2):Old State = IKE_I_MM2 New
State = IKE_I_MM3

*Aug 10 12:00:47.613: ISAKMP (0:268435561): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) MM_SA_SETUP
*Aug 10 12:00:47.613: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
*Aug 10 12:00:47.613: ISAKMP0:105:HW:2):Old State = IKE_I_MM3 New
State = IKE_I_MM4

*Aug 10 12:00:47.617: ISAKMP0:105:HW:2): processing KE payload.
message ID = 0
*Aug 10 12:00:47.621: ISAKMP0:105:HW:2): processing NONCE payload.
message ID = 0
*Aug 10 12:00:47.625: ISAKMP: Looking for a matching key for
<ip_pub_fortigate> in default : success
*Aug 10 12:00:47.625: ISAKMP0:105:HW:2):found peer pre-shared key
matching <ip_pub_fortigate>
*Aug 10 12:00:47.625: ISAKMP: Looking for a matching key for
<ip_pub_fortigate> in default : success
*Aug 10 12:00:47.625: ISAKMP0:105:HW:2):found peer pre-shared key
matching <ip_pub_fortigate>
*Aug 10 12:00:47.629: ISAKMP0:105:HW:2):SKEYID state generated
*Aug 10 12:00:47.629: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Aug 10 12:00:47.629: ISAKMP0:105:HW:2):Old State = IKE_I_MM4 New
State = IKE_I_MM4

*Aug 10 12:00:47.633: ISAKMP0:105:HW:2):Send initial contact
*Aug 10 12:00:47.633: ISAKMP0:105:HW:2):SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Aug 10 12:00:47.633: ISAKMP (0:268435561): ID payload
next-payload : 8
type : 1
address : <my_ip_address>
protocol : 17
port : 500
length : 12
*Aug 10 12:00:47.633: ISAKMP0:105:HW:2):Total payload length: 12
*Aug 10 12:00:47.637: ISAKMP0:105:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Aug 10 12:00:47.637: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Aug 10 12:00:47.637: ISAKMP0:105:HW:2):Old State = IKE_I_MM4 New
State = IKE_I_MM5

*Aug 10 12:00:47.890: ISAKMP (0:268435561): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 10 12:00:47.894: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
*Aug 10 12:00:47.894: ISAKMP0:105:HW:2):Old State = IKE_I_MM5 New
State = IKE_I_MM6

*Aug 10 12:00:47.894: ISAKMP0:105:HW:2): processing ID payload.
message ID = 0
*Aug 10 12:00:47.894: ISAKMP (0:268435561): ID payload
next-payload : 8
type : 1
address : <ip_pub_fortigate>
protocol : 0
port : 0
length : 12
*Aug 10 12:00:47.894: ISAKMP0:105:HW:2): processing HASH payload.
message ID = 0
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2):SA authentication status:
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2): authenticated
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2):SA has been authenticated
with <ip_pub_fortigate>
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2):: peer matches *none* of the
profiles
*Aug 10 12:00:47.898: ISAKMP: Trying to insert a peer <my_ip_address>/
<ip_pub_fortigate>/500/, and inserted successfully.
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Aug 10 12:00:47.898: ISAKMP0:105:HW:2):Old State = IKE_I_MM6 New
State = IKE_I_MM6

*Aug 10 12:00:47.902: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Aug 10 12:00:47.902: ISAKMP0:105:HW:2):Old State = IKE_I_MM6 New
State = IKE_P1_COMPLETE

*Aug 10 12:00:47.902: ISAKMP0:105:HW:2):beginning Quick Mode
exchange, M-ID of -1210640676
*Aug 10 12:00:47.914: ISAKMP0:105:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) QM_IDLE
*Aug 10 12:00:47.918: ISAKMP0:105:HW:2):Node -1210640676, Input =
IKE_MESG_INTERNAL, IKE_INIT_QM
*Aug 10 12:00:47.918: ISAKMP0:105:HW:2):Old State = IKE_QM_READY
New State = IKE_QM_I_QM1
*Aug 10 12:00:47.918: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Aug 10 12:00:47.918: ISAKMP0:105:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_P1_COMPLETE

*Aug 10 12:00:48.547: ISAKMP (0:268435561): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) QM_IDLE
*Aug 10 12:00:48.547: ISAKMP: set new node 917352592 to QM_IDLE
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2): processing HASH payload.
message ID = 917352592
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2):incrementing error counter
on sa: IKMP_BAD_DOI_NOTIFY
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2): processing NOTIFY
PROPOSAL_NOT_CHOSEN protocol 1
spi 0, message ID = 917352592, sa = 857AA938
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2)eer does not do paranoid
keepalives.

*Aug 10 12:00:48.551: ISAKMP0:105:HW:2):deleting SA reason "recevied
fatal informational" state (I) QM_IDLE (peer <ip_pub_fortigate>)
input queue 0
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2):deleting node 917352592
error FALSE reason "informational (in) state 1"
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY
*Aug 10 12:00:48.551: ISAKMP0:105:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_P1_COMPLETE

*Aug 10 12:00:48.555: ISAKMP: set new node 2051526023 to QM_IDLE
*Aug 10 12:00:48.559: ISAKMP0:105:HW:2): sending packet to
<ip_pub_fortigate> my_port 500 peer_port 500 (I) QM_IDLE
*Aug 10 12:00:48.559: ISAKMP0:105:HW:2)urging node 2051526023
*Aug 10 12:00:48.559: ISAKMP0:105:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*Aug 10 12:00:48.559: ISAKMP0:105:HW:2):Old State = IKE_P1_COMPLETE
New State = IKE_DEST_SA

*Aug 10 12:00:48.559: ISAKMP0:105:HW:2):deleting SA reason "" state
(I) QM_IDLE (peer <ip_pub_fortigate>) input queue 0
*Aug 10 12:00:48.559: ISAKMP: Unlocking IKE struct 0x856D0A24 for
isadb_mark_sa_deleted(), count 0
*Aug 10 12:00:48.559: ISAKMP: Deleting peer node by peer_reap for
<ip_pub_fortigate>: 856D0A24
*Aug 10 12:00:48.563: ISAKMP0:105:HW:2):deleting node -1210640676
error FALSE reason ""
*Aug 10 12:00:48.563: ISAKMP0:105:HW:2):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
*Aug 10 12:00:48.563: ISAKMP0:105:HW:2):Old State = IKE_DEST_SA New
State = IKE_DEST_SA

*Aug 10 12:00:48.835: ISAKMP (0:268435561): received packet from
<ip_pub_fortigate> dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 10 12:01:10.114: ISAKMP0:104:HW:2)urging node 311940652
*Aug 10 12:01:10.122: ISAKMP0:104:HW:2)urging node -948673120
*Aug 10 12:01:15.118: IPSEC(key_engine): request timer fired: count =
2,
(identity) local= <my_ip_address>, remote= <ip_pub_fortigate>,
local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
*Aug 10 12:01:15.118: ISAKMP: received ke message (3/1)
*Aug 10 12:01:15.122: ISAKMP0:105:HW:2)eer does not do paranoid
keepalives.

*Aug 10 12:01:15.122: ISAKMP0:104:HW:2)eer does not do paranoid
keepalives.

I think that the problems starts here
....
*Aug 10 12:00:20.108: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in
notify message from <ip_pub_fortigate>
*Aug 10 12:00:20.108: ISAKMP0:104:HW:2):incrementing error counter
on sa: IKMP_BAD_DOI_NOTIFY
.....

Thank you,
Ginevra J.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tetration (print 100^100^100^100^100^100^100^100^100^100^100^100^100^100) jononanon@googlemail.com C Programming 5 04-25-2012 08:49 PM
IPSec VPN - Cisco 837 to Fortigate 60 will.mays@gmail.com Cisco 0 04-02-2007 06:44 AM
ASA and Fortigate-300 VPN linguafr Cisco 0 11-17-2006 11:54 PM
2651 and remote VPN client Sergey Sokolov Cisco 0 12-02-2004 11:45 PM
Cisco VPN 3000 with FortiGate Simon Koh Cisco 0 11-19-2004 04:42 PM



Advertisments