Skip to main content
alaaelrayes
alaaelrayes
New Member
May 24, 2023
Question

IPsec IKE v2 Config

  • May 24, 2023
  • 4 replies
  • 6661 views

Hi Team,

 

I have IPsec IKE V1 remote access and I need to change it to V2.

After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:

No response from the peer, phase1 retransmit reaches maximum count

Note that we uses Forti authenticator with FortiGate.

 

My Config:

 

set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip 
set ipv4-end-ip 
set ipv4-netmask 
set dns-mode auto
set psksecret

 

What is the problem ?

Thanks,

4 replies

A
Anonymous_User
New Contributor III
May 24, 2023

Hi @alaaelrayes ,

VPN configuration requires "mutual understanding" on both side.
Each site must match to each other.

From my understanding, the changes from V1 to V2 is only happend on this Fortigate.

This error: "No response from the peer, phase1 retransmit reaches maximum count" may indicate the peer is still using V1.


May i know, did you change on the peer side too?

 

alaaelrayes
alaaelrayesAuthor
New Member
May 24, 2023

VPN client config on that connection is V2 also as belowV2.JPG

akristof
Staff
akristof
Staff
May 24, 2023

Hi,

Encryption does not match. FortiClient has aes128-sha1 and aes256-sha1, but FortiGate accepts aes128-sha256 at least.

alaaelrayes
alaaelrayesAuthor
New Member
May 29, 2023

I made changes to fortiautheticator and fortigate then the connection was established and I received to enter fortitoken but after entering the token it show a VPN connection failed.

The error code from forticlient is :

No response from the peer, phase1 retransmit reaches maximum count

Fortiautheticator log is success:

authenticator.png

Authenticator Radius changes:

radius 1.JPGradius 2.JPG

Authenticator Radius debug:

auth 3.png

A
Anonymous_User
New Contributor III
June 7, 2023

Hi @alaaelrayes ,

If you have Fortiauthenticator, it may related to another issue. Can you try without 2FA and try it again?

If only 2FA is not working, i would suggest to contact Fortinet support as this need in-depth troubleshooting.
Here the reference: https://www.fortinet.com/support/contact.html

alaaelrayes
alaaelrayesAuthor
New Member
May 31, 2023

Could anyone help me ?

 

after entering the token it gives VPN connection failed in forticlient but no error in FAC.

 

May because the client uses EAP-GTC as shown in the above pictures ?

 

Note that the failure from FG debug as below:

 

eap fail.JPG

fnbamd debug:

 

[1862] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val VPN Users 
fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-03 01 00 04
[1449] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' IP(1) is 0
[1608] fnbam_user_auth_group_match-req id: 952356062, server: FortiAuthenticator, local auth: 0, dn match: 0
[280] find_matched_usr_grps-Failed group matching

 

FortiGate FortiClient 

alaaelrayes
alaaelrayesAuthor
New Member
June 8, 2023

The last update that I configured the tunnel  and I can connect but without internet.

My policies include groups but when I remove those groups and replace them with "All" I'm able to connect.

In my environment I don't need to remove groups from polices.

Is there a solution for this issue?

In the tunnel config there is a command should specify( set authgrp " "), I've added one group but how do I add multiple groups ?

 

policy.JPG

Terms & ConditionsAccessibility statement