IPsec negotiation problem

anyone? please

Hi, you' ve done everything but don' t post everything you' ve done...hard to tell from guessing what' s missing. You will probably know that you will have to have 2 policies to make this work: a) an ENCRYPT VPN policy b) an ACCEPT policy for allowing traffic from the clients to your network The details are all very well laid out in the FortiOS Handbook, pg. 1567 ff. for v4.00 MR3. If you follow this step by step you should have a working tunnel soon. If not...the please post the policies as well, the user group, the address group for the clients etc.

Where' s your fwpolicies? Since nothing is show in the user and and xauth fields, It looks like the user is not been authenticated if I had to guess. But the vpn configs looks right here' s example of my policy edit 6 set srcintf " port15" set dstintf " EXT_NET01" set srcaddr " MGT_NET01" set dstaddr " all" set action ipsec set schedule " always" set service " ANY" set comments " L2TP_VPN for main admiistrators to management network" set inbound enable set outbound enable set vpntunnel " l2tp_dialupRA01" next Make sure to apply fwpoilicies to all interfaces and traffic types that your allowing.

oh b4 I forget you need a policy for the tunnel src back in also; edit 8 set srcintf " EXT_NET01" set dstintf " port15" set srcaddr " l2tp_RA01" set dstaddr " MGT_NET01" set action accept set schedule " always" set service " ANY" next Look at this way, you allow external traffic into with action ipsec and then you allow the tunnel-srcs into the lan fwpoilices that you allow.

So have you double checked the l2tp vpn client setup? If you have macosx used that with verbose mode logging and look at any errors logged info in the var directory.

I' m looking at this tread and it makes me wonder, why use l2tp? Use standard IPsec with the free FortiClient. Why use tunnel mode, use interface mode. It' s more logical, more flexible, etc, etc. For debugging use: dia debug enable dia deb application ipsec -1

HI! It' s weird! Last few days I could make connection and I had problem in my ipsec negotioation, now it does not even get to l2pt! what the....... here is my whole config, tell me if I have missed anything! config vpn l2tp set eip 10.0.2.120 set sip 10.0.2.101 set status enable set usrgrp " L2TP_GROUP" end config user group edit " L2TP_GROUP" set member " neda" " divek" next end config vpn ipsec phase1 edit " REMOTE_P1" set type dynamic ******* //the remote gateway is set to dialup clients set interface " port9" set dhgrp 2 set proposal aes256-md5 3des-sha1 aes192-sha1 set psksecret ENC xVy3WCpj6r8OQiu5KGaqM0z4uODBwAVRBE7NMv6kcoQ/B0ERBlYB0rtrPTaRgxn6QGW4zR9xhx1PNEfNSc2wXO/iEDwvzjpbtyu3kY8aUr7MqFOs next end config vpn ipsec phase2 edit " REMOTE_P2" set encapsulation transport-mode set pfs disable set phase1name " REMOTE_P1" set proposal aes256-md5 3des-sha1 aes192-sha1 set keylifeseconds 3600 **//relay is enabled it is not shown next end config firewall policy edit 64 set srcintf " port9" //wan interface set dstintf " truWorkstations" //lan interface set srcaddr " L2TPclients" set dstaddr " all" set action accept set schedule " always" set service " ANY" next end config firewall policy edit 57 set srcintf " truWorkstations" set dstintf " port9" set srcaddr " all" set dstaddr " all" set action ipsec set schedule " always" set service " ANY" set inbound enable set outbound enable set vpntunnel " REMOTE_P1" next end config firewall address edit " L2TPclients" set type iprange set end-ip 10.0.2.120 set start-ip 10.0.2.101 next end config system dhcp server edit 1 set default-gateway 10.0.2.1 config exclude-range edit 1 set end-ip 10.0.2.120 set start-ip 10.0.2.101 next end set interface " truWorkstations" config ip-range edit 1 set end-ip 10.0.2.100 set start-ip 10.0.2.2 next end set netmask 255.255.255.0 set wins-server1 10.0.5.25 set dns-server1 10.0.2.1 set dns-server2 //DNS server next end