Can't get L2L VPN up between ASA and Fortinet (IKEv2)
Hi,
I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
Configuration from the ASA:
crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800
crypto map VPN interface outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha256 sha
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key blablabla
ikev2 local-authentication pre-shared-key blablabla
Debugs say that there is no matching policy:
IKEv2-PROTO-3: (97): Get peer authentication method
IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
IKEv2-PROTO-3: (97): Verify authentication data
IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policy
Dear Robert,
The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
1. sh crypto ipsec sa
2. sh crypto isakmp sa
3. debug crypto isa 255
4. debug crypto ipsec 255
Similar Messages
-
I tried to find it on the web unable.
If you are developing apps, then you must be a developer and have access to the developer forums. I would start from there. These forums are for us simple users to help each other with usage problems.
-
Unable to print from HQ to Branch through the VPN tunnel between ASAs
We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
Can anyone suggest what can be preventing from printing?When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.
-
How can I get extract the data between two cursors on an XY graph
How can I get extract the data between two cursors on an XY graph
Well, you say xy graph, so this might be a more complicated problem.
For a waveform graph it's trivial. Simply get the two cursor indices (property: cursor index) and apply them to array subset of the data. Is that all you need?
Here's how the above code would look like. using cursor.index instead of cursor.x elimnates the need to include scaling information.
For an xy graph, there could be multiple segments (e.g. imagine a spiral that passes the desired x range multiple times from both sides). This would neeed significantly more code for a general solution.
Message Edited by altenbach on 11-24-2009 07:53 AM
LabVIEW Champion . Do more with less code and in less time .
Attachments:
cursorsubset.png 17 KB -
HT1424 Where can I get the VPN activate on my iPhone 5s ?
Ok , Can I get the VPN program into my iPhone 5s at the Apple Store.
Try to get this service program in my iPhone 5s.
-
How can I get number of days between 2 dates ?
How can I get number of days between 2 dates ?
Give me answer as soon as possible.....Mukesh_Prajapat wrote:
How can I get number of days between 2 dates ?
Give me answer as soon as possible.....Is google broken again?
[How To Ask Questions The Smart Way|http://www.catb.org/~esr/faqs/smart-questions.html] -
How can i get number of days between two dates represented by two dates?
how can i get number of days between two dates represented by two date objects. One is java.sql.Date, the other is java.util.Date?
tej_222 wrote:
But how do I do that conversion. from java.sql.date and java.util.date to calender?
-thanks for the quick response.You may find the following utility code samples useful:
[http://balusc.blogspot.com/2007/09/calendarutil.html]
[http://balusc.blogspot.com/2007/09/dateutil.html]
ganeshmb wrote:
(date1.getTime() - date2.getTime())/(1000*60*60*24) should do.
getTime returns millsecond value of date object and the difference divided by no of milliseconds in a day should fetch you the difference in terms of days.This doesn't respect the DST. Use java.util.Calendar. -
IPSec ikev2 between ASA and Cisco Router
Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
MicThe more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive. -
Issue with VPN compatibility between 2811 and 2911
hello
I would like to ask anyone have had any issues with setting up a VPN tunnel between 2811 and 2911?
The IPSec VPN is established but for some reason I cannot ping the LAN side to the other LAN side of the other end of the VPN Router?
Any experience would be much appreciated
ThanksIPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco), so there are should be no issues in your case.
If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
To make more accurate assumptions it would help if you provide config on both sites and describe your topology. -
I took a 15 minute video clip on my phone and now I can't import it into iphoto. I've been able to import clips to iphoto in the past. How do I fix this? How can I get it imported onto my MacBook and ultimately iMovie?
Maybe try one of the WiFi transfer Apps? There are several to choose from. I use Photosynch quite often to send photos and videos between my computer(s), my iPhone, and iPad.
-
Why can't i pair the Airdrops between iMac and iPad?
Why can't i pair the Airdrops between iMac and iPad?
Hi lolokkio,
Your question is a bit vague, but this article will help you get started with AirDrop. Be sure that your devices meet minimum requirements and are set up correctly -
Use AirDrop to wirelessly share content
Thanks for using Apple Support Communities.
Best,
Brett L -
Help getting tabs to sync between mac and tablet
I have tabs that refuse to sync consistently, if at all between my Mac with 10.9 and an Android tablet 4.2. I have current versions of the apps.
I have tried creating a new account to verify, I've tried reinstalling both on both machines.
Sometimes, it might finally resolve itself if I leave it overnight, like it's incredibly slow. I try manually syncing, letting it do it's own thing...
I don't get what I am doing wrong.
For reference, When I sign in to google chrome on both devices, it's instant, or damn near, and doesn't stop being that way from the first sync. Very solid in terms of syncing tabs and such.
This FF sync deal I just can't get to work worth a crap and it's disappointing. I'd like to keep using FF as I love the bookmarking capabilities (something google refuse to address), but I do so much research for school and I have grown to rely on this feature a great deal.
I hope someone can tell me what I am doing wrong!If it works when you leave it overnight, perhaps you need to reduce the intervals between the syncs?
These might be the preferences you need to adjust: https://wiki.mozilla.org/QA/Sync/Client/Sync_Timers -
Dear wise & wondeful people:
How can I get missing contacts, notes, calendar dates and reminders that are just on my old iphone onto the iCloud for transfer to my new iPhone upgrade? Half of my contacts, notes, ect. were on my iCloud so have happily moved to my new iPhone but the rest are completely resistant. For example, on my iCloud I have 14 missing contacts starting with the letter A alone, however they are happily viewable on my old iPhone 4S and won't budge over into the iCloud.
There are also 3 notes missing yet still acessible on my onld iPhone 4S, the list goes on.
Your help would be most appreciated. Thank you so much.
BCHRHi BCHR,
If you are having issues transfering your content from your old iPhone onto iCloud so it can be transfered to your new iPhone, you may find the following articles helpful:
iOS: Transferring information from your current iPhone, iPad, or iPod touch to a new device
http://support.apple.com/kb/HT2109
iCloud: Troubleshooting iCloud Contacts
http://support.apple.com/kb/TS3998
iCloud: Troubleshooting iCloud Calendar
http://support.apple.com/kb/TS3999
iCloud: Notes overview
http://support.apple.com/kb/PH12081
Regards,
- Brenden -
How can I get my MacBook to stay on and not sleep when lid is closed?
How can I get my MacBook to stay on and not sleep when lid is closed?
try this: http://www.macupdate.com/app/mac/37991/nosleep
-
I have an old iPod Classic with 80 GB (I think) of space. I saved all my songs in an external hard drive, but the iTunes library resided in an old computer (no longer working). Can I get the library from my iPod and use it in my new computer (Windows)?
You might want to check your process for moving your iTunes music against this: http://support.apple.com/kb/HT4527.
Maybe you are looking for
-
How to use IWEB for multiple websites?
Okay. I have two websites. One on a 3rd party, one on .MAC. Computer 1 = .MAC website Computer 2= 3rd party website I want to use computer 2 to edit my .MAC website and moved the DOMAIN file but haven't open it in iWEB on the second computer as I nee
-
I want to get data from iCloud on my new 3GS . But while setting up I used data from iPhone 5 . How to revert back? I want to get rid of back up of iPhone 5 on my new 3GS and want back up of old 3GS on new one.
-
Date and Time in Active Directory
How to update date and time from internet in active directory server ?
-
How do I duplicate my original (uncompressed) footage back onto tape?
Hi If anyone can answer this I will be really, really grateful. I've posted on Canon HV30 user forum and also on Creative Cow, but no one on those forums seems to know the answer. Question is how do I make duplicate copies of my original mini dv tape
-
What packages to install, and how to install in an USB hard drive
Hello. Well, as I said in another thread, I want to install in an USB hard drive. But I don't know how, because it hasn't graphical installer, but text installer. I tried in a virtual machine, and it was fine, but when I want to start it, an error ap