Skip to main content
menatwork
menatwork
Visitor III
August 19, 2025
Solved

Unable to get IPSEC Dialup VPN to work stable / disconnecting with no error

  • August 19, 2025
  • 2 replies
  • 1749 views

Hi,

I am tryingt to switch form ssl-vpn to ipsec dial up vpn. I worked on this for days now. No success.

 

I have got a Fortigate 80F with Fortios 7.2.1 and FortiEMS & Forticlient running (Forticlient 7.2.11 / FortiEMS 7.2.10)

 

There are 4 IPSEC Site2Site tunnels Forti to Forti

1 Dialupconnection (IPSEC) with fixed IPs (local and remote)

1 Dialupconnection (IPSEC) with variable dial up IP (IKE V1)

 

And now I try to add an additional IPSEC-Dialup-Access.

I configured the Fortigate as follows:

Network

Remote Gateway Dialup, Interface WAN1

IPv4 client range: 172.16.10.1-172.16.10.30/255.255.255.255 (even tried 255.255.255.224)

IPv6 is not used but there is: ::-::/128

 

Authentication

Pre-shared Key

IKE Version 2

Accept Peers: Specific Peer ID: homeoffice.local

 

P1 Proposal

AES128-SHA256 / AES256_GCM-PRFSHA384

DH: 18
Key-Lifetime: 86400

 

P2 Selectors

Name Homeofficeipsec

Local Address 192.168.10.0/255.255.255.0

Remote Address: 172.16.10.0/255.255.255.224

 

P2 Proposal

AES256 SHA256

AES256 SHA384

 

Enable Replay Detection: on

Enable perfect Forward Secrecy: on

DH 18

local Port: on

Remote Port: on

Protocol:all

Key Lifetime: Seconds

Seconds: 43200

 

On the ForticlientEMS-Side I did the IPSEC VPN Configuration

Block IPv6 - we are not using it

and for the IPSEC-Setup I secured that the settings match the Fortigate IPSEC Dialup connection.

At Phase 1 I gave the connection the Local ID : homeoffice.local -- as we have multiple IPSEC Dialups every connections needs a identification, if I am right and Accept Types: Specific peer ID.

 

Phase 1 is identical to Phase 1 of the Fortigate

Phase 2 is also identical to Phase 2 of the Fortigate

 

Split Tunnel is disabled

Nat traversal is on / The policies for the VPN have got NAT enabled.

 

If I login via IPSEC Dialup

I give username - password and 2fa (Fortitoken)

The Connection gets established for about 10-15 seconds, I even get an IP on the Fortinet virtual network Adapter

 

Debuglogexcerpt:

ike 0:Homeofficeipsec:156: received peer identifier FQDN 'homeoffice.local'
ike 0:Homeofficeipsec:156: re-validate gw ID
ike 0:Homeofficeipsec:156: gw validation OK
ike 0:Homeofficeipsec:156: responder preparing EAP identity request

then it does the user/password/2fa...

ike 0:Homeofficeipsec: auth candidate group 'SSL_Ipsec_Remote' 2 (group the user is in) -- Fortigate local group

ike 0:Homeofficeipsec:156: authentication succeeded

ike 0:Homeofficeipsec:156: mode-cfg type 1 request 0:''
ike 0:Homeofficeipsec: mode-cfg allocate 172.16.10.1/0.0.0.0
ike 0:Homeofficeipsec:156: mode-cfg using allocated IPv4 172.16.10.1

ike 0:Homeofficeipsec:156: mode-cfg type 2 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 3 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 4 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg WINS ignored, no WINS servers configured
ike 0:Homeofficeipsec:156: mode-cfg type 13 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 25 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 8 request 0:''
ike 0:Homeofficeipsec: IPv6 pool is not configured
ike 0:Homeofficeipsec:156: mode-cfg could not allocate IPv6 address
ike 0:Homeofficeipsec:156: mode-cfg type 15 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 10 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 11 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 11 not supported, ignoring
ike 0:Homeofficeipsec:156: mode-cfg type 28673 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg UNITY type 28673 requested
ike 0:Homeofficeipsec:156: mode-cfg type 21514 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 21514 requested
ike 0:Homeofficeipsec:156: mode-cfg type 21515 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg type 21515 requested
ike 0:Homeofficeipsec:156: mode-cfg type 28672 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg UNITY type 28672 requested
ike 0:Homeofficeipsec:156: mode-cfg no banner configured, ignoring
ike 0:Homeofficeipsec:156: mode-cfg type 28678 request 0:''
ike 0:Homeofficeipsec:156: mode-cfg UNITY type 28678 requested
ike 0:Homeofficeipsec:156: mode-cfg type 25 request 0:''
ike 0:Homeofficeipsec:156:81: peer proposal:
ike 0:Homeofficeipsec:156:81: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 0:Homeofficeipsec:156:81: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: comparing selectors
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: matched by rfc-rule-4
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: phase2 matched by intersection
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: using mode-cfg override 0:172.16.10.1-172.16.10.1:0
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: accepted proposal:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: TSi_0 0:172.16.10.1-172.16.10.1:0
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: TSr_0 0:192.168.10.0-192.168.10.255:0
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: dialup
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: incoming child SA proposal:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: proposal id = 1:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: protocol = ESP:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: encapsulation = TUNNEL
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=INTEGR, val=SHA256
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=ESN, val=NO
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: PFS is disabled
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: matched proposal id 1
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: proposal id = 1:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: protocol = ESP:
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: encapsulation = TUNNEL
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=INTEGR, val=SHA256
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: type=ESN, val=NO
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: PFS is disabled
ike 0:Homeofficeipsec:156:Homeofficeipsec:81: lifetime=43200
ike 0:Homeofficeipsec:156: responder preparing AUTH msg
ike 0:Homeofficeipsec: IPv6 pool is not configured
ike 0:Homeofficeipsec: adding new dynamic tunnel for 213.162.73.173:2740
ike 0:Homeofficeipsec_0: tunnel created tun_id 172.16.10.1/::10.0.0.31 remote_location 0.0.0.0
ike 0:Homeofficeipsec_0: HA start as master
ike 0:Homeofficeipsec_0: added new dynamic tunnel for 213.162.73.173:2740
ike 0:Homeofficeipsec_0:156: established IKE SA c78de1db0661acf9/ce0552bb6dc89b37
ike 0:Homeofficeipsec_0:156: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=1
ike 0:Homeofficeipsec_0: HA send IKE connection add 81.28.141.172->213.162.73.173

ike 0:Homeofficeipsec_0 HA send mode-cfg
ike 0:Homeofficeipsec_0:156: processing INITIAL-CONTACT
ike 0:Homeofficeipsec_0: flushing
ike 0:Homeofficeipsec_0: flushed
ike 0:Homeofficeipsec_0:156: processed INITIAL-CONTACT
ike 0:Homeofficeipsec_0:156: mode-cfg assigned (1) IPv4 address 172.16.10.1
ike 0:Homeofficeipsec_0:156: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike 0:Homeofficeipsec_0:156: mode-cfg send (13) 0:0.0.0.0/0.0.0.0:0
ike 0:Homeofficeipsec_0:156: mode-cfg send (3) IPv4 DNS(1) 81.28.128.34
ike 0:Homeofficeipsec_0:156: mode-cfg send (3) IPv4 DNS(2) 81.28.128.52
ike 0:Homeofficeipsec_0:156: mode-cfg send INTERNAL_IP6_SUBNET
ike 0:Homeofficeipsec_0:156: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found
ike 0:Homeofficeipsec_0:156: mode-cfg send APPLICATION_VERSION 'FortiGate-80F v7.2.11,build1740,250210 (GA.M)'
ike 0:Homeofficeipsec_0:156: client save-password is disabled
ike 0:Homeofficeipsec_0:156: client auto-negotiate is disabled
ike 0:Homeofficeipsec_0:156: client-keep-alive is disabled
ike 0:Homeofficeipsec_0:156: add INTERFACE-ADDR4 169.254.2.1
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: replay protection enabled
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: set sa life soft seconds=43187.
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: set sa life hard seconds=43200.
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: IPsec SA selectors #src=1 #dst=1
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: src 0 7 0:192.168.10.0-192.168.10.255:0
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: dst 0 7 0:172.16.10.1-172.16.10.1:0
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: add dynamic IPsec SA selectors
ike 0:Homeofficeipsec_0:156:Homeofficeipsec:81: added dynamic IPsec SA proxyids, new serial 1
ike 0:Homeofficeipsec:81: add route 172.16.10.1/255.255.255.255 gw 172.16.10.1 oif Homeofficeipsec(40) metric 15 priority 1

ike 0:Homeofficeipsec_0: tunnel up event assigned address 172.16.10.1

ike 0:Homeofficeipsec_0: sent tunnel-up message to EMS:

ike 0:Homeofficeipsec_0: user 'xxxx' 172.16.10.1 groups 1

ike 0:Homeofficeipsec_0:156: enc 270000....................

then there are a few

ike 0: IKEv2 exchange=INFORMATIONAL id=c78de......

ike 0:Homeofficeipsec_0:156: received informational request
ike 0:Homeofficeipsec_0: HA send IKEv2 message ID update send/recv=0/10
ike 0:Homeofficeipsec_0:156: processing delete request (proto 1)
ike 0:Homeofficeipsec_0:156: deleting IKE SA...............

ike 0:Homeofficeipsec_0:156: schedule delete of IKE SA c78de1db0.............

ike 0: unknown SPI 9437206b 5 213.162.73.173:2740->81.xx.xx.xx

 

And this is (I think, where the connections is disconnected)

I have no idea, what is going on here... perhaps you can help me?

Thanks a lot!

Best answer by menatwork

Hi, no it doesn't. But the problem was that at the Fortigate there was IKE fragmentation enabled (not visible in GUI) and perhaps overseen by me at the CLI. Enabling it on the FortiClient solved the problem.

2 replies

AEK
SuperUser
AEK
SuperUser
August 19, 2025

Hello

Before any troubleshooting, first thing I'd do is to update my FortiOS to 7.2.11.

Many IPsec related issues have been fixed since 7.2.1.

AEK
menatwork
menatworkAuthor
Visitor III
August 22, 2025

Hi, sorry this was a typo. We are running FortiOS 7.2.11. I have some new information on this. It is NOT related to the tunnel itself, it is related to FortiClient in connection with FortiClientEMS. If the Forticlient is connected to the ForticlientEMS, the connection (VPN) gets established, I can ping an internal host for about 5 secs and then the tunnel goes down again.

 

If I disconnect the FortiClient from EMS and use the same IPSEC Vpn in the Forticlient which remains in FortiClient even after disconnecting from EMS, it is working properly. So it is something in connection with the ForitEMS AND Forticlient.

 

Perhaps it has a problem when networks are switching or routes are changing (normal "LAN" to VPN). 

 

I opened a ticket on this and hope to get some fast help.

 

Thanks!

AEK
SuperUser
AEK
SuperUser
August 24, 2025

Hello

Is your FortiClient connected to EMS via its public hostname ot via its public IP address?

If it is via public hostname, probably your IPsec connection is injecting a new DNS server (the remote one), so the EMS hostname resolves to the EMS private IP address, or probably to nothing.

AEK
menatwork
menatworkAuthor
Visitor III
August 28, 2025

Hi,

 it is connected via public hostname - correct. Is it by design, that the connection gets "kicked" if EMS connection is not possible?

 

EDIT: Just double checked - the FQDN - resolving of my Fortiems is pointing to the same public ip - no matter if I connect to the ipsec-dialupvpn or not.

Thanks!

AEK
SuperUser
AEK
SuperUser
August 28, 2025

I suspect the public connection to EMS is somehow disturbed when your IPsec is up.

If you confirm DNS resolution is fine then you still need to check once you connect to IPsec if the connection to EMS is still well routed.

You can do that with packet sniffer for example, and by checking your routing table.

AEK
Terms & ConditionsAccessibility statement