Skip to main content
nit_mws
nit_mws
New Member
July 6, 2019
Question

Cookbook's IPsec VPN with FortiClient does not work - how to find out why

  • July 6, 2019
  • 1 reply
  • 7514 views

I should setup a dialup VPN from my Windows 10 laptop to my office's FortiGate 30E. As first tries based on the FortiOS Handbook didn't work I followed the FortiOS 6.0 Cookbook recipe "IPsec VPN with FortiClient" (https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient) and implemented it with adjustment of the local lan network addresses (firewall address) only. On my laptop I installed the free FortiClient 6.0.7 and set it up as advised by the Cookbook.

But I had no success, no log entry in VPN Events of my FortiGate and this was the log of my FortiClient:

06.07.2019 18:15:21    Information    VPN    id=96602 msg="SSLVPN service started successfully." vpntype=ssl
06.07.2019 18:17:20    Information    VPN    id=96566 msg="negotiation information, loc_ip=192.168.128.61 loc_port=500 
  rem_ip=(public IP addr of my FortiGate) rem_port=500 out_if=0 vpn_tunnel=NITvie FCT-VPN1 action=negotiate init=local mode=aggressive stage=1 
  dir=outbound status=success Initiator: sent (public IP addr of my FortiGate) aggressive mode me" vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:17:32    Warning    VPN    id=96561 msg="locip=192.168.128.61 locport=500 remip=(public IP addr of my FortiGate) 
  remport=500 outif=0 vpntunnel=NITvie FCT-VPN1 status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..." 
  vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:18:27    Information    VPN    id=96566 msg="negotiation information, loc_ip=172.20.10.2 loc_port=500 rem_ip=(public IP addr of my FortiGate) 
  rem_port=500 out_if=0 vpn_tunnel=NITvie FCT-VPN1 action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success 
  Initiator: sent (public IP addr of my FortiGate) aggressive mode messa" vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:18:39    Warning    VPN    id=96561 msg="locip=172.20.10.2 locport=500 remip=(public IP addr of my FortiGate) 
  remport=500 outif=0 vpntunnel=NITvie FCT-VPN1 status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..." 
  vpntunnel="NITvie FCT-VPN1" vpntype=ipsec

- the public IP address of my FortiGate was correct

 

- it looks like the SSLVPN service of the FortiClient tried to connect to the FortiGate

- but already this action looks like it was not successful

- in a second round an IKE1 negotiation was started, also with no success as the FortiGate did not respond.

(As in previous tries with guidelines from the FortiOS Hanbook I was able to establish a successful IKE1 negotiation the basic setup of the FortiGate looks ok.)

 

As the log of VPN events is very lean in general I got no hint from the FortiGate what needs to be fixed.

 

Any hints what I should investigate?

 

Thanks,

Michael

 

 

 

 

1 reply

hubertzw
hubertzw
New Member
July 6, 2019
Do you try to setup SSL or IPsec VPN? FortiClient supports both of them.
nit_mws
nit_mwsAuthor
New Member
July 6, 2019

I've set up an IPsec tunnel, but the documentation about the FortiClient tells that it is able to download a setup for the phase 1 and phase 2 negotiation by a SSLVPN connection if an XAUTH user(group) is defined. But this is only for the setup of the prerequisites for the IPsec negotiations.

hubertzw
hubertzw
New Member
July 7, 2019
I've never tested the auto client configuration but manual always worked: https://help.fortinet.com...Overview.htm#Configur3
Terms & ConditionsAccessibility statement