Solved

Rejecting IPSec tunnel

Posted on 2008-06-17
2
6,762 Views
Last Modified: 2011-10-19
Hi All,

Iam setting up a VPN site to Site with a Fortigate router, It shows the Phase 1 is completed and the second phase is not able to complete. The error log shows errors that not matching the crypto map entry. Please find the errors as follows,
AAA retrieved default group policy (DfltGrpPolicy) for user = 217.112.144.84

Group = 217.112.144.84, IP = 217.112.144.84, Freeing previously allocated memory for authorization-dn-attributes

IP = 217.112.144.84, Received encrypted packet with no matching SA, dropping

Group = 217.112.144.84, Username = 217.112.144.84, IP = 217.112.144.84, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Group = 217.112.144.84, IP = 217.112.144.84, Removing peer from correlator table failed, no match!

Group = 217.112.144.84, IP = 217.112.144.84, QM FSM error (P2 struct &0x395e020, mess id 0x7ed53fbb)!

Group = 217.112.144.84, IP = 217.112.144.84, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 217.112.144.84/255.255.255.255/0/0 local proxy 192.168.25.0/255.255.255.0/0/0 on interface outside

Group = 217.112.144.84, IP = 217.112.144.84, PHASE 1 COMPLETED

The configs of ASA is also attached.

Thanks in advance,

Regards..
ezetop-configs.txt
0
Comment
Question by:aime14
2 Comments
 
LVL 7

Accepted Solution

by:
mabutterfield earned 500 total points
Comment Utility
It looks like your encryption domains don't match.  The fortigate is trying to setup VPN for 192.168.25.0/24 on your end.  

You should adjust your cryptomap ACL.  


access-list outside_1_cryptomap extended permit ip host 213.255.196.50 host 217.112.144.84

should be

access-list outside_1_cryptomap extended permit ip 192.168.25.0 255.255.255.0 host 217.112.144.84
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now