FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195317

This article explains what to do when end point units cannot suddenly connect to their IPsec dial up VPN.

Here an example of an IPsec dial up configuration:

# config vpn ipsec phase1-interface
    edit "test"
        set type dynamic
        set mode aggressive
        set mode-cfg enable
        set ipv4-start-ip
        set ipv4-end-ip
        set ipv4-netmask

Configure the Phase 1 as dynamic and implement the mode-cfg.

Mode-cfg is responsible for dynamically assign attributes to the end point which will successfully connect to the VPN.
One of the attributes is the assignment of IP addresses.
The above supplied configuration can assign up to 254 IP addresses to the end point.
Many times due to business expansion or acquisitions the remote end users are increasing and quite often clients complain that cannot connect to the VPN services any more.
In order to troubleshoot the issue, enable ike debugs is needed.

Here an example of debug:

# diagnose vpn ike log-filter dst-addr4

# diagnose debug application ike -1

Debug messages will be on for 27 minutes.

# diagnose debug console timestamp enable

# diagnose debug enable is the end point’s public IP address which initiates the VPN connection.
During debugs, we are facing an error like:
ike: could not allocate IPv4 address 

In order to overcome this issue, a bigger subnet needs to be reserved by the firewall administrator


In order to disable mode-cfg, execute the below commands.


config vpn vpn ipsec phase1-interface
    edit "test"

            set mode-cfg disable



or you can execute the below commands

config vpn vpn ipsec phase1-interface
    edit "test"

            unset mode-cfg