Rejecting IPSec tunnel

Hi All,

Iam setting up a VPN site to Site with a Fortigate router, It shows the Phase 1 is completed and the second phase is not able to complete. The error log shows errors that not matching the crypto map entry. Please find the errors as follows,
AAA retrieved default group policy (DfltGrpPolicy) for user = 217.112.144.84

Group = 217.112.144.84, IP = 217.112.144.84, Freeing previously allocated memory for authorization-dn-attributes

IP = 217.112.144.84, Received encrypted packet with no matching SA, dropping

Group = 217.112.144.84, Username = 217.112.144.84, IP = 217.112.144.84, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Group = 217.112.144.84, IP = 217.112.144.84, Removing peer from correlator table failed, no match!

Group = 217.112.144.84, IP = 217.112.144.84, QM FSM error (P2 struct &0x395e020, mess id 0x7ed53fbb)!

Group = 217.112.144.84, IP = 217.112.144.84, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 217.112.144.84/255.255.255.255/0/0 local proxy 192.168.25.0/255.255.255.0/0/0 on interface outside

Group = 217.112.144.84, IP = 217.112.144.84, PHASE 1 COMPLETED

The configs of ASA is also attached.

Thanks in advance,

Regards..
ezetop-configs.txt
aime14Asked:
Who is Participating?
 
mabutterfieldConnect With a Mentor Commented:
It looks like your encryption domains don't match.  The fortigate is trying to setup VPN for 192.168.25.0/24 on your end.  

You should adjust your cryptomap ACL.  


access-list outside_1_cryptomap extended permit ip host 213.255.196.50 host 217.112.144.84

should be

access-list outside_1_cryptomap extended permit ip 192.168.25.0 255.255.255.0 host 217.112.144.84
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.