VPN Ipsec from pix to fortinet

i need a vpn connection from my firewall (cisco - pix520 - 6.3.4) to a remote firewall (fortinet), which is not configured by me.

config of my pix:
============
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
...
crypto map VPN 31 ipsec-isakmp
crypto map VPN 31 match address *******
crypto map VPN 31 set peer **********
crypto map VPN 31 set transform-set myset
...

crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address *******at netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

=============
Phase 1 is OK:

*****  ******    QM_IDLE         0           0

=========
debug crypto ipsec 1
debug crypto isakmp 1
:


ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xb70830f8
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x39785152
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xb70830f8
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x39785152
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0xb70830f8

Thanks for Help !

aax2eeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Do you have a nat zero acl?
Do you have something that looks like this in your PIX:
   access-list nat_0 permit ip <local lan> <mask> <remote lan> <mask>
   nat (inside) 0 access-list nat_0

0
td_milesCommented:
Could you post the full output of the crypto debug ?  (change IP addresses of course, easiest way to do this is just a find/replace in a text editor, don't just ***, as we won't be able to match them up).

I'm assuming you have checked with the person configuring the other end and have all the same settings. I have found it useful, that even if you don't have control of the device, to get the person to send you a copy of the config (or screen shots if it is a GUI device) that shows the VPN settings they have configured. This will allow you to check it, just to make sure it looks correct, even though they say it is correct (just don't acuse them of having it wrong, be subtle ;)
0
td_milesCommented:
morning lrmoore :)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

aax2eeAuthor Commented:
===============
@lrmoore,

yes there's a nonat-acl.

access-list nonat line 5 permit ip UNI-NET 255.255.255.0 host its1.xxxxxxx.at (hitcnt=44)
nat (inside) 0 access-list nonat

===============
@ts_miles

full debug:

pix# deb cry ips
pix# deb cry isa
pix#
pix#
pix#
pix#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 3017347:2e0a83IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x88cd393a(2295150906) for SA
        from    fw.wegraz.at to  81.223.127.194 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:fw.wegraz.at/500 Total VPN Peers:11
VPN Peer: ISAKMP: Peer ip:fw.wegraz.at/500 Ref cnt incremented to:1 Total VPN Peers:11
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x2e0a83IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 81.223.127.194, remote= fw.wegraz.at,
    local_proxy= UNI-NET/255.255.255.0/0/0 (type=4),
    remote_proxy= its1.wegraz.at/255.255.255.255/0/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -699346336:d650d260IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x93c3a4aa(2479072426) for SA
        from    fw.wegraz.at to  81.223.127.194 for prot 3

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x2e0a83
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xd650d260
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x2e0a83
pix#
pix# un all
pix#

===============

pix# sh isa sa
Total     : 11
Embryonic : 0
        dst               src        state     pending     created
  fw.haginger.at   81.223.127.194    QM_IDLE         0           3
   fw.l-real.com   81.223.127.194    QM_IDLE         0           3
fw.tbr-engineering.at   81.223.127.194    QM_IDLE         0           3
    fw.pirsch.at   81.223.127.194    QM_IDLE         0           3
    fw.lesser.at   81.223.127.194    QM_IDLE         0           3
fw.kosjek-lesser.at   81.223.127.194    QM_IDLE         0           3
  fw.trausner.at   81.223.127.194    QM_IDLE         0           3
  fw.roschker.at   81.223.127.194    QM_IDLE         0           3
   fw.ra-popp.at   81.223.127.194    QM_IDLE         0           3
       fw.sbg.at   81.223.127.194    QM_IDLE         0           3
    fw.wegraz.at   81.223.127.194    QM_IDLE         0           0
pix#

(see last entry => fw.wegraz.at)

===================================


0
aax2eeAuthor Commented:
my config:

name 192.168.20.251 its2.wegraz.at
name 81.223.57.162 fw.wegraz.at

access-list inside permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
access-list nonat permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
access-list WEGRAZ permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
nat (inside) 0 access-list nonat


sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map VPN 31 ipsec-isakmp
crypto map VPN 31 match address WEGRAZ
crypto map VPN 31 set peer fw.wegraz.at
crypto map VPN 31 set transform-set myset
crypto map VPN interface outside
isakmp enable outside

isakmp key ******** address fw.wegraz.at netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


0
aax2eeAuthor Commented:
Screenshot Fortinet:

http://www.aaitx.com/fortinet.jpg

0
lrmooreCommented:
The Fortinet has "Enable PFS" Checked, you do not have it  enabled.
Try adding:
   crypto map VPN 31 set pfs group2


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aax2eeAuthor Commented:
@ lrmoore

this is the solution!

I have added PFS and the tunnel works!

thanks, the points our yours.
0
lrmooreCommented:
Good news!
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.