Troubleshooting Tip: Users cannot connect to a Dial-up IPsec VPN with 'IPv4 pool is not configured' message in IKE debug
| Description | This article describes an issue when VPN users cannot connect to an IPsec VPN from FortiClient. |
| Scope | FortiGate. |
| Solution | IKE debugs on FortiGate show the following messages (outputs truncated):
diagnose debug reset ike V=root:0:Dialup:0: responder: aggressive mode get 2nd response... ike V=root:0:Dialup_0:0: received XAUTH_USER_NAME 'guest' length 5 ike V=root:0: comes 192.168.x.x:500->192.168.x.x:500,ifindex=5,vrf=0,len=156.... ike V=root:0:Dialup_0:0: mode-cfg type 1 request 0:''
Once the debug is complete, use the following command to stop the debug:
diagnose debug disable diagnose debug reset
The IKE debug outputs indicate that 'Mode Config' is not enabled and 'Client Address Range' is not configured on the FortiGate IPsec Phase 1 configuration. As a result, the configuration method request sent by the FortiClient was ignored.
To resolve the issue, enable 'Mode Config' and configure 'Client Address Range' under VPN -> IPsec Tunnel -> Edit the IPsec tunnel.
To do it in the CLI:
config vpn ipsec phase1-interface
Note: When running the debug commands, the output can be filtered with the client public IP:
diagnose debug reset diagnose vpn ike log-filter dst-addr4 <CLIENT_PUBLIC_IP> diagnose debug application ike -1 diagnose debug enable
Once debugging is complete, use the following command to stop the processes:
diagnose debug disable diagnose debug reset
To check the IKE statistics:
get vpn ike stats
Sniffer the traffic:
diagnose sniffer packet any "udp port 500 or udp port 4500" 4
Related articles: |
