Visitor III

Question

Fortigate Dialup IPsec config to FortiClient Config

Forum|Forum|1 year ago
April 10, 2025
5 replies
2515 views

I do not know a lot about IPSec except there are many layers of encryption in it. But I have to get Dialup IPSec VPN working for our company. I used the Wizard on the FortiGate to do most of the work. Then to build the FortiClient config I looked at the options and tried my best to select the ones that looked correct. But the initial connection is failing. At one point I saw a message that ike failed.

The setup options for both the FortiGate and FortiClient EMS do not seem to be the same or even in the same locations. I have tried a manual config in the client and I have tried a config in EMS which is pushed down to me. The settings in EMS do not even match the settings you can do in the Client. Is there a way to take the FortiGate IPsec config and convert it to a FortiClient config that will work with it? Without being an IPsec expert?

AEK

SuperUser

We may help if you can share both configs (you can hide the IP).

AEK

funkylicious

SuperUser

you can see the settings for phase1 and 2 running a show full vpn ipsec phase1-interface and phase2-interface.

usually the default settings that the wizard sets is for ikev1 / phase1 aes128/256-sha256 / dh 5 or 14 ( dont set both ) / phase2 pfs on and same dh . some of these settings can be confirmed using the show command above.

"jack of all trades, master of none"

Tauri

Explorer II

Please share ipsec configuration where is also showed phase1 and phase 2. Please also add two FortGates configs. Don't forget to hide classified information.

systemgeekAuthor

Visitor III

Fortigate config:

</ipsec_settings>

<on_connect>

</script>

</on_connect>

<on_disconnect>

</script>

</on_disconnect>

<tags>

</tags>

<host_check_fail_warning></host_check_fail_warning>

<keep_running>0</keep_running>

<disclaimer_msg>$null</disclaimer_msg>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>0</show_remember_password>

<show_alwaysup>0</show_alwaysup>

<show_autoconnect>0</show_autoconnect>

<save_username>0</save_username>

<save_password>0</save_password>

</ui>

</connection>

AEK

SuperUser

It looks empty.

Can you share screenshots of both FCT IPsec config and FGT IPsec config?

AEK

systemgeekAuthor

Visitor III

Fortigate config

config vpn ipsec phase1-interface      edit *****          set type dynamic          set interface "port1"          set ip-version 4          set ike-version 2          set local-gw 0.0.0.0          set keylife 86400          set authmethod psk          unset authmethod-remote          set peertype any          set monitor-min 0          set net-device disable          set exchange-interface-ip disable          set aggregate-member disable          set packet-redistribution disable          set mode-cfg enable          set ipv4-wins-server1 0.0.0.0          set ipv4-wins-server2 0.0.0.0          set proposal aes128-sha256 aes256-sha256          set add-route enable          set localid ''          set localid-type auto          set negotiate-timeout 30          set fragmentation enable          set ip-fragmentation post-encapsulation          set dpd on-demand          set dhgrp 14          set suite-b disable          set eap enable          set eap-identity send-request          set acct-verify disable          set ppk disable          set wizard-type dialup-forticlient          set reauth disable          set authusrgrp *******          set idle-timeout disable          set ha-sync-esp-seqno enable          set fgsp-sync disable          set inbound-dscp-copy disable          set encapsulation none          set nattraversal disable          set fragmentation-mtu 1200          set childless-ike disable          set azure-ad-autoconnect disable          set client-resume disable          set rekey enable          set enforce-unique-id disable          set network-overlay disable          set dev-id-notification disable          set link-cost 0          set kms ''          set exchange-fgt-device-id disable          set ems-sn-check disable          set qkd disable          set transport tcp          set fortinet-esp enable          set remote-gw-match any          set default-gw 0.0.0.0          set default-gw-priority 0          set assign-ip enable          set assign-ip-from name          set ipv4-netmask 255.255.255.255          set dns-mode auto          set ipv4-split-include *****          set split-include-service ''          set ipv4-name *******          set ipv6-prefix 128          set ipv6-split-include ''          set ipv6-name ''          set ip-delay-interval 0          set ipv4-split-exclude ''          set ipv6-split-exclude ''          set save-password enable          set client-auto-negotiate enable          set client-keep-alive enable          set psksecret ENC **********          set distance 15          set priority 1          set dpd-retrycount 3          set dpd-retryinterval 20      next  end

Forticlient config:

<connection>     <name>IPSecVPN</name>     <type>manual</type>     <ike_settings>         <version>2</version>         <eap_method>0</eap_method>         <sso_enabled>1</sso_enabled>         <ike_saml_port>10666</ike_saml_port>         <use_external_browser>1</use_external_browser>         <prompt_certificate>0</prompt_certificate>         <description></description>         <server>example.com</server>         <authentication_method>Preshared Key</authentication_method>         <auth_key></auth_key>         <auth_data>             <preshared_key>Enc ****</preshared_key>             <certificate></certificate>         </auth_data>         <mode>aggressive</mode>         <dhgroup>14</dhgroup>         <key_life>86400</key_life>         <localid></localid>         <nat_traversal>0</nat_traversal>         <networkid>0</networkid>         <sase_mode>0</sase_mode>         <mode_config>1</mode_config>         <enable_local_lan>0</enable_local_lan>         <enable_ike_fragmentation>0</enable_ike_fragmentation>         <dpd>1</dpd>         <xauth>             <enabled>0</enabled>             <prompt_username>0</prompt_username>             <username>Enc ****</username>             <password>Enc ****</password>         </xauth>         <proposals>             <proposal>AES128|SHA256</proposal>             <proposal>AES256|SHA256</proposal>         </proposals>         <fgt>0</fgt>     </ike_settings>     <ipsec_settings>         <remote_networks></remote_networks>         <dhgroup>14</dhgroup>         <key_life_type>both</key_life_type>         <key_life_seconds>43200</key_life_seconds>         <key_life_Kbytes>5120</key_life_Kbytes>         <replay_detection>0</replay_detection>         <pfs>1</pfs>         <use_vip>1</use_vip>         <virtualip>             <type>modeconfig</type>             <ip></ip>             <mask></mask>             <dnsserver></dnsserver>         </virtualip>         <proposals>             <proposal>AES128|SHA256</proposal>             <proposal>AES256|SHA256</proposal>         </proposals>         <ipv4_split_exclude_networks></ipv4_split_exclude_networks>     </ipsec_settings>     <on_connect>         <script>             <os>mac</os>             <script>$null</script>         </script>     </on_connect>     <on_disconnect>         <script>             <os>mac</os>             <script>$null</script>         </script>     </on_disconnect>     <tags>         <allowed></allowed>         <prohibited></prohibited>     </tags>     <host_check_fail_warning></host_check_fail_warning>     <keep_running>0</keep_running>     <disclaimer_msg>$null</disclaimer_msg>     <ui>         <show_passcode>0</show_passcode>         <show_remember_password>0</show_remember_password>         <show_alwaysup>0</show_alwaysup>         <show_autoconnect>0</show_autoconnect>         <save_username>0</save_username>         <save_password>0</save_password>     </ui> </connection>

AEK

SuperUser

If your client is behind a router then enable NAT traversal on both FCT and FGT.

AEK

systemgeekAuthor

Visitor III

Unless you want to count an AWS EIP as behind a router its not.

Right now I am getting: "116: no proposal chosen, send error response" On the Fortigate when I am running debug there. I can only guess that the proposal offered in the debug is the clients offer????

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded