Description
This article explains what to do when endpoint units cannot suddenly connect to their IPsec dial-up VPN.
Scope
FortiGate.
Solution
Here is an example of an IPsec dial-up configuration:
config vpn ipsec phase1-interface
edit "test"
set type dynamic
set mode aggressive
set mode-cfg enable
set ipv4-start-ip 172.16.1.1
set ipv4-end-ip 172.16.1.254
set ipv4-netmask 255.255.255.0
Configure the Phase 1 as dynamic and implement the mode-cfg.
Mode-cfg is responsible for dynamically assigning attributes to the endpoint which will successfully connect to the VPN.
One of the attributes is the assignment of IP addresses.
The above-supplied configuration can assign up to 254 IP addresses to the endpoint.
Many times due to business expansion or acquisitions the number of remote end users is increasing and quite often clients complain that cannot connect to the VPN services anymore.
To troubleshoot the issue, enabling IKE debugs is needed.
Here is an example of debug:
diagnose vpn ike log-filter dst-addr4 80.80.80.80
diagnose debug application ike -1
Debug messages will be on for 27 minutes.
diagnose debug console timestamp enable
diagnose debug enable
Note:
Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
80.80.80.80 is the end point’s public IP address which initiates the VPN connection.
During debugs, we are facing an error like:
ike: could not allocate IPv4 address
ike: peer has not completed Configuration Method
To overcome this issue, a bigger subnet needs to be reserved by the firewall administrator.
Alternatively, other methods of assigning IPs to users can be used, such as DHCP relay.
