Skip to main content
mark8263
mark8263
New Member
January 26, 2026
Solved

Issues with 'free' ipsec vpn

  • January 26, 2026
  • 3 replies
  • 1103 views

Anybody else having issues with getting the 'free' ipsec client to work?

I've been messing around with this for a couple of weeks and so far, with 5 different machines and 4 different clients - only 1 machine will connect.

I've already engaged support but since this is the 'free' client - they have exhausted all that they can help with.

I don't need all the 'add-on' stuff with the vpn, just need it to connect - stay stable and provide some basic routing (thru it).

What happens is that i install, configure, connect - and it hangs.  nothing until the connection drops off a few minutes later. packet captures seem to indicate that 'all' the tcp packets aren't getting sent/received and therefor phase 1 never completed.

 

Best answer by mark8263

I finally got the solution working.

It had to do with 3 different things:

ipsec1 - 256AES

subnet on dialup client. I thought the sessions would be coming from the 'end users' machines via their nat address, but apparantly not.

we utilize another security product called Threatlocker. A quick change there allowed the subnet mask to route as needed along with the newer AES256.

Also - don't try to connect from behind a site-2-site w/o changing the addresses. 2 policies don't work for 1 site.

All's working now. Thanks for all the suggestions.

 

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
January 26, 2026

what FCT versions have you tested and what version worked ?

what OS does those system have ?

"jack of all trades, master of none"
mark8263
mark8263Author
New Member
January 26, 2026

all builds up to 7.4.3 hotfix 1.8758

machines have been 5 different win 11 machines and 1 server. only works on a server - no workstation flavors

funkylicious
SuperUser
funkylicious
SuperUser
January 26, 2026

i would recommend testing w/ 7.4.1 if you can or something in the 7.2.X version

"jack of all trades, master of none"
vpolovnikov
Staff & Editor
vpolovnikov
Staff & Editor
January 26, 2026

There are some IPsec troubleshooting commands in the FortiOS documentation with log examples that may help to some extent: i.e. https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/044240/ipsec-related-diagnose-commands

mark8263
mark8263Author
New Member
January 27, 2026

Incoming connection is shown - but the client eventually times out, or has to be manually 'disconnected' as the client get's 'hung up'.

mark8263
mark8263AuthorAnswer
New Member
January 28, 2026

I finally got the solution working.

It had to do with 3 different things:

ipsec1 - 256AES

subnet on dialup client. I thought the sessions would be coming from the 'end users' machines via their nat address, but apparantly not.

we utilize another security product called Threatlocker. A quick change there allowed the subnet mask to route as needed along with the newer AES256.

Also - don't try to connect from behind a site-2-site w/o changing the addresses. 2 policies don't work for 1 site.

All's working now. Thanks for all the suggestions.

 

Terms & ConditionsAccessibility statement