Technical Tip: FortiClient Windows IPsec dialup tunnel keep disconnecting due to windows IPv6 settings

There might be some instances when the FortiClient dial-up tunnel keeps disconnecting for some users. 

This behavior is also observed when users attempt to connect to the IPsec VPN through tethered devices.

To isolate the issue, run the IKE debug as follows:

For v7.4 and higher versions:

diagnose debug disable

diagnose debug reset

diagnose vpn ike log filter rem-addr4 x.x.x.x

diagnose debug application ike -1

diagnose debug enable

For v7.2 and lower versions:

diagnose debug disable

diagnose debug reset

diagnose vpn ike log filter dst-addr4 x.x.x.x

diagnose debug application ike -1

diagnose debug enable

To stop the IKE debug:

diagnose debug disable

diagnose debug reset

In the debug, the tunnel will show coming up, and no error will be observed. Besides the fact that FortiGate sent a couple of keep-alive messages, after that, it received an ISAKMP delete message as shown below. 

Furthermore, the IKE gateway can be seen established as shown below; the only thing that is interesting to notice is that it is establishing the tunnel over IPv6 instead of IPv4 as shown below.

This can also be checked from the FortiGate GUI under the IPsec Monitor, Peer ID column:

Solution:

The solution for this is to disable IPv6 on the FortiClient network adapter on the problematic machine. 

Go to Control panel -> Network and sharing center -> Change adapter settings -> Select Fortinet Virtual Ethernet Adapter.

'Right-click' on it, change the property, scroll down to find TCP/IPV6, and uncheck that as shown below.

Note:

If the VPN still gets disconnected, then try disabling the IPv6 settings on the Wi-Fi adapter or the adapter through which the internet is accessed.

If still facing issues after that, run the IKE debug and feel free to contact Fortinet Support:

Fortinet Support Portal

Related article:

Technical Tip: How to troubleshoot Intermittent IPSec Dial up VPN disconnection