Skip to main content
sebastien
sebastien
New Member
June 20, 2020
Question

Port VPN-IPSEC

  • June 20, 2020
  • 1 reply
  • 10226 views

Hello, i created my VPN with dialup and i tried to connect to vpn from a computer on another network but i think the problème come from my ISP NAT/PAT. I looked on internet and i tried the following ports but it's does'nt work.

Do you have idea ? thank you.

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 22, 2020

    hi,

     

    if you are behind a NAT device (router) then only udp/500 and udp/4500 are used. Be sure to enable "NAT-Traversal" in the VPN setup.

    Apart from that, you may post more information about your client setup, and about the setup of the VPN gateway.

    sebastien
    sebastienAuthor
    New Member
    June 26, 2020

    Hello,

     

    i make a video because i don't find the problem about my IPSEC-VPN :

    i following this explications but it's does'nt work ...

    https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient

     

    Can you help me please ... https://drive.google.com/file/d/1aefUNWRRrIcnrcmZvgitLKGXpiV9t3H9/view?usp=sharing

     

    I tried to connect to the vpn outside network and inside the same network with my ip public 

     

     Thank very much 

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 26, 2020

    Nice video. Way too much work.

    First, get rid of all routes except the default route. In a dialup VPN, FortiOS automatically creates a dynamic route to the connecting host (as a host route, /32) so that traffic can flow forward and backwards.

    Your other routes do not make any sense.

     

    Then, from which host IP are you running the FC?

    FC's subnet and the subnet behind the tunnel should not be identical.

    You assign a range of IPs from 192.168.5.0/24 - the FGT doesn't know that subnet. If the tunnel really connects the FGT is forced to drop those packets. Unless you make it known:

    create a static route to 192.168.5.0/24, dest. interface "VPN-maison", no gateway.

    This way, it's not a rogue network and traffic will not be discarded.

     

    Frequently, I assign addresses from the subnet behind the tunnel. VPN users and LAN users blend seamlessly this way.

     

    Check that you can ping the VPN gateway (192.168.1.99) from the host running the FC.

     

    If that is working but the FC cannot connect, why don't you look into the FGT's logs? There is one item called "VPN".

     

    For debugging, enable "show connection window" in FC. It may indicate at which stage the negotiations fail.

    Terms & ConditionsAccessibility statement