Skip to main content
anandafajar16
anandafajar16
New Member
July 10, 2025
Question

Cant create IPsec VPN Remote Access

  • July 10, 2025
  • 2 replies
  • 2165 views

Hey guys,

 

I'm trying to get an IPsec VPN working for a client since their new FortiOS firmware dropped SSL-VPN support.

Here's the problem: The very first time I built the IPsec VPN, it looked like it connected, but I couldn't actually get to the internet or my DNS server through the FortiGate. Thinking it was a glitch, I ended up deleting it, re-making it, and deleting it a few times. Now I'm getting this persistent error when I try to set it up:

"Unable to setup VPN. The rollback process has encountered an error. Orphaned objects may still exist in the configuration database."

 

I've made sure to clean up everything after deleting the VPN each time – references, static routes, firewall policies, address – but this "orphaned objects" error just won't go away.

 

Has anyone seen this before or know how to fix it? Any help would be awesome

picture.png

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
July 10, 2025

hi,

when creating the vpn try choosing custom instead of remote access, it would do in the end the same settings, but you wont have the wizard being displayed while creating.

"jack of all trades, master of none"
    GJStefou
    GJStefou
    Explorer
    July 10, 2025

    Hello, 

     

    Have been there a lot of times..... and i was always missing something on the references when deleting the VPN tunnel.

    Try to delete all the references again and reboot your Firewal after, it may have cached something. 

    Additionally, In whitch version is you FGT now ? 

     

    Regarding the "Cannot Access the Internet" issue, you can enable the splitt tunneling on the IPsec Tunnel so all the unrelated traffic would be routed throught the local network and not the IPSec VPN Tunnel. Just to be on the safe side, i allways create a firewall policy on the FGT to allow access from the IPSec VPN tunnel to WAN just in case the splitt tunneling doesn't work for some reason. That allows my remote devices to have access to the internet throught the IPSec tunnel and not the local network. 

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192266

     

    The other thing for your DNS issue, you can spesify the DNS server you want to use on the IPSec VPN tunnel settings so the devices will use the spesified server as DNS. 

     

    Hope this helps! 

     

      anandafajar16
      anandafajar16Author
      New Member
      July 10, 2025

      Yeah, I guess I'll try restarting my FortiGate first and then try again. I'm using the FortiGate's DNS server feature, and I'm not sure which one I should use for the DNS server settings in the configuration.

      GJStefou
      GJStefou
      Explorer
      July 10, 2025

      It doesn't matter what you're using on the FortiGate to be honest. 

       

      It depends on the setup of your internal network setup. 

      If there is any domain controller (AD Server) on your internal network that does the DNS and you need access to that domain controller (i.e for accessing some domian user profiles over VPN) you would need to spoesify the server address as a DNS Server on the IPSec VPN tunnel configuration.

      In any other case, you can just leave the default config.

       

      If you could provide some details on the case and the VPN use, it would help us to guide you better. 

      Terms & ConditionsAccessibility statement