FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Article Id 195317

Description

 

This article explains what to do when endpoint units cannot suddenly connect to their IPsec dial-up VPN.

 

Scope

 

FortiGate.

Solution


Here is an example of an IPsec dial-up configuration:

 

config vpn ipsec phase1-interface
    edit "test"
        set type dynamic
        set mode aggressive
        set mode-cfg enable
        set ipv4-start-ip 172.16.1.1
        set ipv4-end-ip 172.16.1.254
        set ipv4-netmask 255.255.255.0

 

Configure the Phase 1 as dynamic and implement the mode-cfg.

Mode-cfg is responsible for dynamically assigning attributes to the endpoint which will successfully connect to the VPN.
One of the attributes is the assignment of IP addresses.
The above-supplied configuration can assign up to 254 IP addresses to the endpoint.
Many times due to business expansion or acquisitions the number of remote end users is increasing and quite often clients complain that cannot connect to the VPN services anymore.
To troubleshoot the issue, enabling IKE debugs is needed.

Here is an example of debug:

 

diagnose vpn ike log-filter dst-addr4 80.80.80.80 

diagnose debug application ike -1
Debug messages will be on for 27 minutes.
diagnose debug console timestamp enable
diagnose debug enable

 

Note:

Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

80.80.80.80 is the end point’s public IP address which initiates the VPN connection.
During debugs, we are facing an error like:


ike: could not allocate IPv4 address 
ike: peer has not completed Configuration Method

 

To overcome this issue, a bigger subnet needs to be reserved by the firewall administrator.

 

Alternatively, other methods of assigning IPs to users can be used, such as DHCP relay.