|
This EMS SN verification feature was initially introduced in FortiGate v7.6 for enhancing VPN security
Below error message is observed in the VPN logs while connecting:
date=2025-04-25 time=15:58:57 eventtime=1745611136994194580 tz="-0400" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=10.1.0.1 locip=xx.xx.xx.xx remport=500 locport=500 outintf="lan" cookies="f42203aec8f95b56/82a2f979b0b88623" user="10.1.0.1" group="N/A" useralt="N/A" eapuser="Test" eapauthgroup="IPSec-VPN" assignip=N/A vpntunnel="Dialup-IPSec" status="negotiate_error" reason="peer EMS SN check failed" fctuid="9EB7FB974DA743C8B6DDB5DFXXXXXXXX" advpnsc=0
FortiClient error message is shown as below:
For resolution, 'ems-sn-check' needs to be disabled on IPSec phase1-interface settings:
config vpn ipsec phase1-interface
edit "Dialup-IPSec"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 10.1.0.15
set proposal aes128-sha1 aes256-sha256
set comments "Test "
set dhgrp 5
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "IPSec-VPN"
set nattraversal disable
set ems-sn-check enable <---- Disable this setting.
set transport udp
set assign-ip-from name
set ipv4-split-include "Route_Internal"
set ipv4-name "IPSec_range"
set save-password enable
set client-auto-negotiate enable
next
end
The EMS SN check feature can be enabled or disabled from the IPsec GUI starting from v7.6.0+. By default, the ems-sn-check setting is disabled.
For more information on this feature, refer to the following documents:
Enhancing VPN security using EMS SN verification
Explaining the effects of the 'set esn require'/'ems-sn-check' setting on Phase-1 of IPsec VPN Tunne...
|
