1. Home
  2. Cisco Systems
  3. VPN 2651 - fortigate 100

VPN 2651 - fortigate 100

Hi all, I'm trying to create a vpn between my cisco 2651 and a fortigate 100 I've some problem, I think, when the vpn's 2 phase begins

Here my conf: crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 35 hash md5 authentication pre-share group 2 ! crypto isakmp policy 40 encr 3des hash md5 authentication pre-share ! crypto isakmp key address ! crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac ! crypto map vpn 100 ipsec-isakmp description set peer set transform-set 3des_md5 set pfs group2 match address 151 ! access-list 151 permit ip host 192.168.1.93 10.10.10.0 0.0.0.255 access-list 151 permit ip host 192.168.1.93 192.168.21.0 0.0.0.255 access-list 151 permit ip 192.168.11.0 0.0.0.255 192.168.21.0

0.0.0.255

...and here my debug...

*Aug 10 12:00:18.369: ISAKMP:(0:104:HW:2): processing HASH payload. message ID = 0 *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2):SA authentication status: *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2): authenticated *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2):SA has been authenticated with *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2):: peer matches *none* of the profiles *Aug 10 12:00:18.373: ISAKMP: Trying to insert a peer / /500/, and inserted successfully. *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 10 12:00:18.373: ISAKMP:(0:104:HW:2):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Aug 10 12:00:18.377: ISAKMP:(0:104:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 10 12:00:18.377: ISAKMP:(0:104:HW:2):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Aug 10 12:00:18.377: ISAKMP:(0:104:HW:2):beginning Quick Mode exchange, M-ID of -948673120

*Aug 10 12:00:18.389: ISAKMP:(0:104:HW:2): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Aug 10 12:00:18.393: ISAKMP:(0:104:HW:2):Node -948673120, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Aug 10 12:00:18.393: ISAKMP:(0:104:HW:2):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Aug 10 12:00:18.393: ISAKMP:(0:104:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Aug 10 12:00:18.393: ISAKMP:(0:104:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Aug 10 12:00:20.104: ISAKMP (0:268435560): received packet from dport 500 sport 500 Global (I) QM_IDLE

*Aug 10 12:00:20.104: ISAKMP: set new node 311940652 to QM_IDLE *Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2): processing HASH payload. message ID = 311940652 *Aug 10 12:00:20.108: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in notify message from *Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2):incrementing error counter on sa: IKMP_BAD_DOI_NOTIFY *Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1 spi 0, message ID = 311940652, sa = 857A617C *Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2):peer does not do paranoid keepalives.

*Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2):deleting SA reason "recevied fatal informational" state (I) QM_IDLE (peer ) input queue 0

*Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2):deleting node 311940652 error FALSE reason "informational (in) state 1" *Aug 10 12:00:20.112: ISAKMP:(0:104:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Aug 10 12:00:20.112: ISAKMP:(0:104:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Aug 10 12:00:20.112: ISAKMP: set new node 1841500615 to QM_IDLE

*Aug 10 12:00:20.116: ISAKMP:(0:104:HW:2): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Aug 10 12:00:20.116: ISAKMP:(0:104:HW:2):purging node 1841500615 *Aug 10 12:00:20.116: ISAKMP:(0:104:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Aug 10 12:00:20.116: ISAKMP:(0:104:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Aug 10 12:00:20.120: ISAKMP:(0:104:HW:2):deleting SA reason "" state (I) QM_IDLE (peer ) input queue 0

*Aug 10 12:00:20.120: ISAKMP: Unlocking IKE struct 0x8566D144 for isadb_mark_sa_deleted(), count 0 *Aug 10 12:00:20.120: ISAKMP: Deleting peer node by peer_reap for : 8566D144 *Aug 10 12:00:20.120: ISAKMP:(0:104:HW:2):deleting node -948673120 error FALSE reason "" *Aug 10 12:00:20.120: ISAKMP:(0:104:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 10 12:00:20.120: ISAKMP:(0:104:HW:2):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Aug 10 12:00:20.469: ISAKMP (0:268435560): received packet from dport 500 sport 500 Global (I) MM_NO_STATE

*Aug 10 12:00:45.117: IPSEC(key_engine): request timer fired: count = 1, (identity) local= , remote= , local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1), remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4) *Aug 10 12:00:45.117: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= , remote= , local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1), remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0xEE335F2A(3996344106), conn_id= 0, keysize= 0, flags= 0x400B *Aug 10 12:00:45.117: ISAKMP: received ke message (1/1) *Aug 10 12:00:45.121: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) *Aug 10 12:00:45.121: ISAKMP: Created a peer struct for , peer port 500 *Aug 10 12:00:45.121: ISAKMP: Locking peer struct 0x856D0A24, IKE refcount 1 for isakmp_initiator *Aug 10 12:00:45.121: ISAKMP: local port 500, remote port 500 *Aug 10 12:00:45.121: ISAKMP: set new node 0 to QM_IDLE *Aug 10 12:00:45.121: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 857AA938 *Aug 10 12:00:45.121: ISAKMP:(0:105:HW:2):Can not start Aggressive mode, trying Main mode. *Aug 10 12:00:45.121: ISAKMP: Looking for a matching key for in default : success *Aug 10 12:00:45.121: ISAKMP:(0:105:HW:2):found peer pre-shared key matching *Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2): constructed NAT-T vendor-03 ID *Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2): constructed NAT-T vendor-02 ID *Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2):Old State = IKE_READY New State = IKE_I_MM1

*Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2): beginning Main Mode exchange

*Aug 10 12:00:45.125: ISAKMP:(0:105:HW:2): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 10 12:00:45.810: ISAKMP (0:268435561): received packet from dport 500 sport 500 Global (I) MM_NO_STATE *Aug 10 12:00:45.810: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 10 12:00:45.810: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Aug 10 12:00:45.810: ISAKMP:(0:105:HW:2): processing SA payload. message ID = 0

*Aug 10 12:00:45.810: ISAKMP:(0:105:HW:2): processing vendor id payload *Aug 10 12:00:45.810: ISAKMP:(0:105:HW:2): vendor ID seems Unity/DPD but major 233 mismatch *Aug 10 12:00:45.814: ISAKMP: Looking for a matching key for in default : success *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2):found peer pre-shared key matching *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2): local preshared key found *Aug 10 12:00:45.814: ISAKMP : Scanning profiles for xauth ... *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2):Checking ISAKMP transform 2 against priority 10 policy *Aug 10 12:00:45.814: ISAKMP: encryption 3DES-CBC *Aug 10 12:00:45.814: ISAKMP: hash MD5 *Aug 10 12:00:45.814: ISAKMP: default group 2 *Aug 10 12:00:45.814: ISAKMP: auth pre-share *Aug 10 12:00:45.814: ISAKMP: life type in seconds *Aug 10 12:00:45.814: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2):Hash algorithm offered does not match policy! *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2):atts are not acceptable. Next payload is 0 *Aug 10 12:00:45.814: ISAKMP:(0:105:HW:2):Checking ISAKMP transform 2 against priority 15 policy *Aug 10 12:00:45.818: ISAKMP: encryption 3DES-CBC *Aug 10 12:00:45.818: ISAKMP: hash MD5 *Aug 10 12:00:45.818: ISAKMP: default group 2 *Aug 10 12:00:45.818: ISAKMP: auth pre-share *Aug 10 12:00:45.818: ISAKMP: life type in seconds *Aug 10 12:00:45.818: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Aug 10 12:00:45.818: ISAKMP:(0:105:HW:2):atts are acceptable. Next payload is 0 *Aug 10 12:00:45.826: ISAKMP:(0:105:HW:2): processing vendor id payload *Aug 10 12:00:45.826: ISAKMP:(0:105:HW:2): vendor ID seems Unity/DPD but major 233 mismatch *Aug 10 12:00:45.826: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 10 12:00:45.826: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Aug 10 12:00:45.830: ISAKMP:(0:105:HW:2): sending packet to my_port 500 peer_port 500 (I) MM_SA_SETUP

*Aug 10 12:00:45.830: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 10 12:00:45.830: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Aug 10 12:00:47.613: ISAKMP (0:268435561): received packet from dport 500 sport 500 Global (I) MM_SA_SETUP

*Aug 10 12:00:47.613: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 10 12:00:47.613: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Aug 10 12:00:47.617: ISAKMP:(0:105:HW:2): processing KE payload. message ID = 0

*Aug 10 12:00:47.621: ISAKMP:(0:105:HW:2): processing NONCE payload. message ID = 0 *Aug 10 12:00:47.625: ISAKMP: Looking for a matching key for in default : success *Aug 10 12:00:47.625: ISAKMP:(0:105:HW:2):found peer pre-shared key matching *Aug 10 12:00:47.625: ISAKMP: Looking for a matching key for in default : success *Aug 10 12:00:47.625: ISAKMP:(0:105:HW:2):found peer pre-shared key matching *Aug 10 12:00:47.629: ISAKMP:(0:105:HW:2):SKEYID state generated *Aug 10 12:00:47.629: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 10 12:00:47.629: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Aug 10 12:00:47.633: ISAKMP:(0:105:HW:2):Send initial contact

*Aug 10 12:00:47.633: ISAKMP:(0:105:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Aug 10 12:00:47.633: ISAKMP (0:268435561): ID payload next-payload : 8 type : 1 address : protocol : 17 port : 500 length : 12 *Aug 10 12:00:47.633: ISAKMP:(0:105:HW:2):Total payload length: 12 *Aug 10 12:00:47.637: ISAKMP:(0:105:HW:2): sending packet to my_port 500 peer_port 500 (I) MM_KEY_EXCH *Aug 10 12:00:47.637: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 10 12:00:47.637: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Aug 10 12:00:47.890: ISAKMP (0:268435561): received packet from dport 500 sport 500 Global (I) MM_KEY_EXCH

*Aug 10 12:00:47.894: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 10 12:00:47.894: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Aug 10 12:00:47.894: ISAKMP:(0:105:HW:2): processing ID payload. message ID = 0

*Aug 10 12:00:47.894: ISAKMP (0:268435561): ID payload next-payload : 8 type : 1 address : protocol : 0 port : 0 length : 12 *Aug 10 12:00:47.894: ISAKMP:(0:105:HW:2): processing HASH payload. message ID = 0 *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2):SA authentication status: *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2): authenticated *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2):SA has been authenticated with *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2):: peer matches *none* of the profiles *Aug 10 12:00:47.898: ISAKMP: Trying to insert a peer / /500/, and inserted successfully. *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 10 12:00:47.898: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Aug 10 12:00:47.902: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 10 12:00:47.902: ISAKMP:(0:105:HW:2):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Aug 10 12:00:47.902: ISAKMP:(0:105:HW:2):beginning Quick Mode exchange, M-ID of -1210640676

*Aug 10 12:00:47.914: ISAKMP:(0:105:HW:2): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Aug 10 12:00:47.918: ISAKMP:(0:105:HW:2):Node -1210640676, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Aug 10 12:00:47.918: ISAKMP:(0:105:HW:2):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Aug 10 12:00:47.918: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Aug 10 12:00:47.918: ISAKMP:(0:105:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Aug 10 12:00:48.547: ISAKMP (0:268435561): received packet from dport 500 sport 500 Global (I) QM_IDLE

*Aug 10 12:00:48.547: ISAKMP: set new node 917352592 to QM_IDLE *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2): processing HASH payload. message ID = 917352592 *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):incrementing error counter on sa: IKMP_BAD_DOI_NOTIFY *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1 spi 0, message ID = 917352592, sa = 857AA938 *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):peer does not do paranoid keepalives.

*Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):deleting SA reason "recevied fatal informational" state (I) QM_IDLE (peer ) input queue 0

*Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):deleting node 917352592 error FALSE reason "informational (in) state 1" *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Aug 10 12:00:48.551: ISAKMP:(0:105:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Aug 10 12:00:48.555: ISAKMP: set new node 2051526023 to QM_IDLE

*Aug 10 12:00:48.559: ISAKMP:(0:105:HW:2): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Aug 10 12:00:48.559: ISAKMP:(0:105:HW:2):purging node 2051526023 *Aug 10 12:00:48.559: ISAKMP:(0:105:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Aug 10 12:00:48.559: ISAKMP:(0:105:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Aug 10 12:00:48.559: ISAKMP:(0:105:HW:2):deleting SA reason "" state (I) QM_IDLE (peer ) input queue 0

*Aug 10 12:00:48.559: ISAKMP: Unlocking IKE struct 0x856D0A24 for isadb_mark_sa_deleted(), count 0 *Aug 10 12:00:48.559: ISAKMP: Deleting peer node by peer_reap for : 856D0A24 *Aug 10 12:00:48.563: ISAKMP:(0:105:HW:2):deleting node -1210640676 error FALSE reason "" *Aug 10 12:00:48.563: ISAKMP:(0:105:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 10 12:00:48.563: ISAKMP:(0:105:HW:2):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Aug 10 12:00:48.835: ISAKMP (0:268435561): received packet from dport 500 sport 500 Global (I) MM_NO_STATE

*Aug 10 12:01:10.114: ISAKMP:(0:104:HW:2):purging node 311940652 *Aug 10 12:01:10.122: ISAKMP:(0:104:HW:2):purging node -948673120 *Aug 10 12:01:15.118: IPSEC(key_engine): request timer fired: count = 2, (identity) local= , remote= , local_proxy= 192.168.1.93/255.255.255.255/0/0 (type=1), remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4) *Aug 10 12:01:15.118: ISAKMP: received ke message (3/1) *Aug 10 12:01:15.122: ISAKMP:(0:105:HW:2):peer does not do paranoid keepalives.

*Aug 10 12:01:15.122: ISAKMP:(0:104:HW:2):peer does not do paranoid keepalives.

I think that the problems starts here ...

*Aug 10 12:00:20.108: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in notify message from *Aug 10 12:00:20.108: ISAKMP:(0:104:HW:2):incrementing error counter on sa: IKMP_BAD_DOI_NOTIFY ....

Thank you, Ginevra J.

Reply to
ginevra.jeremy
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.