Troubleshooting Tip: How to fix error "Must set I...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 353469

Description

This article describes how to resolve a common error encountered while configuring an IPsec dial-up tunnel on FortiGate when mode-cfg is enabled.

image (12).png

Scope

All FortiGate firmware version.

Solution

When mode-cfg is enabled, FortiGate acts as a DHCP server for VPN clients, dynamically assigning IP addresses and other network configuration details. To avoid the error, it is essential to configure the ipv4-start-ip and ipv4-end-ip range (or the equivalent IPv6 range, if applicable).

For instance,

config vpn ipsec phase1-interface

edit <vpn tunnel>

set ipv4-start-ip X.X.X.X <- Where (X.X.X.X and Y.Y.Y.Y is starting and ending IP range).
set ipv4-end-ip Y.Y.Y.Y

end

After setting the IP range, the error should no longer appear.

126

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: How to fix error "Must set IPv4 or IPv6 range. object check operator error, -45, discard the setting Command fail. Return code -45"