Skip to main content
Anne
Anne
New Member
September 3, 2013
Solved

IPSec tunnel lAN-to-LAN

  • September 3, 2013
  • 4 replies
  • 12804 views
Hi there, I have setup a new vpn ipsec tunnel between two fortigates running 5.0.3. SA proposal chosen, matched gateway PROD_VPN_P1 DPD negotiated peer is Fortigate/FortiOS (v5 b208) and then I get the following message in the debugs ike 0:PROD_VPN_P1:2806: remote address a.b.c.d does not match configuration address a.b.y.z, drop Not sure whats happening. Thanks Anne
    Best answer by dnayak_FTNT

    Hi, 

     

    Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

     

    Regards,

    Deepak

    4 replies

    Anne
    AnneAuthor
    New Member
    September 3, 2013
    a.b.c.d is the public ip of the local peer and a.b.y.z the public ip of the remote fortigate
    zeki893
    zeki893
    New Member
    June 11, 2015

    I'm having the same problem. The error doesn't make much sense since the remote address is a.b.y.z. but the error says the remote address a.b.c.d.

    dnayak_FTNT
    Staff
    dnayak_FTNTAnswer
    Staff
    June 12, 2015

    Hi, 

     

    Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

     

    Regards,

    Deepak

    zeki893
    zeki893
    New Member
    June 14, 2015

    omg your right, an old VIP that I wasn't using was somehow being used for that VPN.

    thanks!

    sohrab
    sohrab
    New Member
    June 14, 2015

    i am facing an issue in site to site ipsec vpn, tunnel is up , and i can access remote LAN. but remote lan can not access me, although the policies which i made for remote lan, in that policy i allowed access for remote lan, but still other party is unable to access my lan, can any body guide me what can be the issue.

    thank you in advance.

    emnoc
    emnoc
    New Member
    June 14, 2015

    The diag debug flow is your 1st command and step in diagnostics. I would execute it and review the output. I would suspect the fwpolicy-id ordering or lack or incorrect route

     

     

    kenneth_li
    kenneth_li
    New Member
    May 12, 2016

    Hi,

     

    I meet the error as well , there is a Cisco router 2911 build site to site VPN to fortigate 500D . It's not work and I enable debug on fortigate , I found the error "remote address 218.207.163.181 does not match configuration address 112.5.54.2, drop" . there is nothing VIP config about 218.207.163.181 . IP 112.5.54.2 is router's public IP.

     

    BR

    Kenneth

    Terms & ConditionsAccessibility statement