Skip to main content
damianhlozano
damianhlozano
Explorer II
September 19, 2025
Question

IKEv2 dialup VPN not working

  • September 19, 2025
  • 4 replies
  • 1096 views

Hello team!

 

We have 2 Fortigates 100F in HA 7.6.4 and a FortiClient EMS cloud 7.4.3

We already have 3 dialup IPsec IKEv1 VPNs for each WAN working, all authenticating with AD

Also we have 1 dialup IPsec IKEv2 VPN for each WAN working, also authenticating with AD

I recently added another existing AD domain in the Fortigate and EMS (Both domains are in different DCs), installing the agents needed

 

The authentication server was correctly added in the EMS Cloud and we could see AD objects

In the Fortigate, we have added an external connector (FSSO Agent on Windows AD), like in the other domain, and created a new LDAP Server, like in the other domain.  The external connector is up, and the new LDAP server passed both tests ("Test Connectivity" and "Test User Credentials")

 

I then created a new local user group, using 1 remote group (In the second AD) and created 1 new IKEv2 dialup VPN for each wan, using this new group

In the EMS, I duplicated the working IKEv2 VPN profile for the new VPN, and modified what we needed.

The new VPN is provisioned in FortiClient (For my test user, the only user with this profile), but I cannot connect

I added a local user in the VPN group, but I have the same result

 

In the Fortigate, I see the following events when I try to connect:

date=2025-09-19 time=09:27:25 eventtime=1758284846227998119 tz="-0300" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=RemoteIP locip=LocalIP remport=4500 locport=4500 outintf="port9" cookies="bf0cfbd9ababe347/ad46a6ade2a7a2c1" user="1031" group="N/A" useralt="N/A" eapuser="N/A" eapauthgroup="N/A" assignip=N/A vpntunnel="NewVPN" status="negotiate_error" reason="ike negotiation timeout" fctuid="E2D4BA7AF7DD4761B682A1A835348004" advpnsc=0
date=2025-09-19 time=09:27:25 eventtime=1758284846228034039 tz="-0300" logid="0101037134" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa" remip=RemoteIP locip=LocalIP remport=4500 locport=4500 outintf="port9" cookies="bf0cfbd9ababe347/ad46a6ade2a7a2c1" user="1031" group="N/A" useralt="N/A" eapuser="N/A" eapauthgroup="N/A" assignip=N/A vpntunnel="NewVPN" fctuid="E2D4BA7AF7DD4761B682A1A835348004" advpnsc=0
date=2025-09-19 time=09:26:57 eventtime=1758284816246381739 tz="-0300" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=RemoteIP locip=LocalIP remport=4500 locport=4500 outintf="port9" srccountry="Argentina" cookies="bf0cfbd9ababe347/ad46a6ade2a7a2c1" user="1031" group="N/A" useralt="N/A" eapuser="N/A" eapauthgroup="N/A" assignip=N/A vpntunnel="NewVPN" status="success" init="remote" exch="AUTH" dir="outbound" role="responder" result="DONE" version="IKEv2" fctuid="E2D4BA7AF7DD4761B682A1A835348004" advpnsc=0

 

Any idea?

 

Thanks in advance.

Regards

Damián

4 replies

brian_skysilk
brian_skysilk
New Member
September 19, 2025

status="negotiate_error" reason="ike negotiation timeout"

Could be occurring for a large number of reasons. I would double check everything related to phase 1 connectivity. Firewall rules, and the IKE phase 1 settings on the FortiGate and FortiClient are matching.

You can also run debugging in the console to get more information as to why phase 1 is not establishing.

 

diagnose debug console timestamp  enable
diagnose debug application ike -1
diagnose debug enable

damianhlozano
damianhlozanoAuthor
Explorer II
September 19, 2025

Hello Brian, thanks for your answer!

 

I double checked everything, even listed all parameters in a working VPN, and in the new VPN, in "config vpn ipsec phase1-interface" and compared them.

Do you know how to filter the debug to only view connections to an specific VPN?

I searched and tried to filter the output but I never got it.  Articles wich explain this, are incomplete.

As soon as I run "diagnose debug enable", there are a lot of lines appearing, even if I dint try to connect to VPN.  Maybe related to other dialup VPNs or P2P IPsec VPNs (This Fortigate has also some P2P IPsec VPNs)

 

Thanks in advance.

Regards,

Damián

brian_skysilk
brian_skysilk
New Member
September 19, 2025

You can try:

diagnose vpn ike log-filter

 

There are a number of filter options available.

vd: any
name: any
interface: any
IPv4 source: any
multiple IPv4 sources: any
IPv4 dest: any
multiple IPv4 dest: any
IPv6 source: any
multiple IPv6 sources: any
IPv6 dest: any
multiple IPv6 dest: any
source port: any
dest port: any

damianhlozano
damianhlozanoAuthor
Explorer II
September 19, 2025

This is for older firmware

In 7.6.4 is "diagnose vpn ike log filter name phase1name"

But even running this, there are a lot of lines as soon as I enabled the debug

Do you know in which line should I apply the filter?

Is this first?  Like:

diagnose vpn ike log filter name phase1name

diagnose debug console timestamp  enable
diagnose debug application ike -1
diagnose debug enable

 

Thanks in advance.

Regards,

Damián

brian_skysilk
brian_skysilk
New Member
September 19, 2025

You can see which filters are applied to output by running the command without any attributes.

 

src and dst ip address are probably your best bet for only seeing the FortiClient connection attempt.

damianhlozano
damianhlozanoAuthor
Explorer II
September 19, 2025

Hello!

 

This time, I had opened a Fortinet ticket at the same time I post the question here.

This seems that the PSK was not the same in the server and client side.

IDK why didnt appear the generic error in Forticlient, instead of return to the main screen, because of this I didnt change the PSK before

Now this is working!

 

Thanks anyway for your help!

Regards,

Damián

Terms & ConditionsAccessibility statement