Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nathan_h
Staff
Staff

Created on ‎04-10-2025 05:22 AM Edited on ‎04-11-2025 06:46 AM By Moderator

Article Id 387036

Troubleshooting Tip: IPsec Tunnel is not coming up due to the error 'debug error mode-cfg not completed' in IKEv2 dial-up IPsec tunnel

Description

 

This article describes how to resolve issues related to the errors 'peer has not completed Configuration Method' and 'debug error mode-cfg not completed'. FortiGate is configured with dial-up IPsec with mode-cfg enabled.

 

Scope

 

FortiGate.

 

Solution

 

Network Topology:

FortiGate (dial-up IPsec Server) -> Internet -> Third Party VPN (dial-up IPsec Client).

 

VPN Configuration on FortiGate:

 

config vpn ipsec phase1-interface
    edit "Dialup_VPN"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
    next
end

 

IKE Debug Output: Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

 

diagnose debug console timestamp enable

diagnose vpn ike log-filter dst-addr4 <Remote Gateway IP> <----- Change <Remote Gateway IP>.

diagnose debug application ike -1
diagnose debug enable

 

For v7.4.0 and above, there is a slight change in the command as below:

 

diagnose debug console timestamp enable

diagnose vpn ike log filter rem-addr4 <Remote Gateway IP> <----- Change <Remote Gateway IP>.
diagnose debug application ike -1
diagnose debug enable

 

ike 0:Dialup_VPN:4362612: responder received AUTH msg
ike 0:Dialup_VPN:4362612: processing notify type INITIAL_CONTACT
ike 0:Dialup_VPN:4362612: processing notify type EAP_ONLY_AUTHENTICATION
ike 0:Dialup_VPN:4362612: processing notify type MESSAGE_ID_SYNC_SUPPORTED
ike 0:Dialup_VPN:4362612: peer identifier IPV4_ADDR 10.0.0.1
ike 0:Dialup_VPN:4362612: re-validate gw ID
ike 0:Dialup_VPN:4362612: gw validation OK
ike 0:Dialup_VPN:4362612: auth verify done
ike 0:Dialup_VPN:4362612: responder AUTH continuation
ike 0:Dialup_VPN:4362612: authentication succeeded
ike 0:Dialup_VPN:4362612: responder creating new child
ike 0:Dialup_VPN:4362612:1391: peer proposal:
ike 0:Dialup_VPN:4362612:1391: TSi_0 0:192.168.1.0-192.168.1.255:0
ike 0:Dialup_VPN:4362612:1391: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: comparing selectors
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: matched by rfc-rule-2
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: phase2 matched by subset
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: accepted proposal:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: TSi_0 0:192.168.1.0-192.168.1.255:0
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: dialup
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: incoming child SA proposal:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: proposal id = 1:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: protocol = ESP:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: encapsulation = TUNNEL
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=INTEGR, val=SHA384
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=ESN, val=NO
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: PFS is disabled
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: matched proposal id 1
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: proposal id = 1:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: protocol = ESP:
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: encapsulation = TUNNEL
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=INTEGR, val=SHA384
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: type=ESN, val=NO
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: PFS is disabled
ike 0:Dialup_VPN:4362612:Dialup_VPN _2:1391: lifetime=43200
ike 0:Dialup_VPN:4362612: responder preparing AUTH msg
ike 0:Dialup_VPN:4362612: remote port change 30637 -> 30655
ike 0:Dialup_VPN:4362612: peer has not completed Configuration Method
ike 0:Dialup_VPN:4362612: error mode-cfg not completed

 

Decrypted IKEv2 Packet Capture: Configuration Payload is not sent from the Client: Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2.

 

not_working_edited.png

FortiGate is configured with 'mode-cfg enable', it will expect a Configuration Payload. Negotiation will fail if not found.

 

Ensure that the client will send the Configuration Payload. Check with the third-party VPN vendor. The Configuration payload facilitates the transfer of configuration details between IKEv2 peers.

Generally, a remote IKEv2 peer begins the exchange by requesting an IP address within the gateway's protected network. In turn, the FortiGate provides a local address for the peer to use temporarily. 

 

Decrypted IKEv2 Packet Capture when the client sent the Configuration Payload.

 

working_edited.png

 

Related article:

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

443
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.