| Description | This article describes the troubleshooting steps when an IPsec tunnel does not connect with the error 'peer has not completed configuration method' seen in the FortiGate IKE debugs. |
| Scope | FortiGate. |
| Solution |
In this example, an IPsec tunnel is unable to fully come up. The status shows phase-1 as up, but phase-2 as down.
When performing the FortiGate IKE debug on the impacted tunnel with the following commands :
Before FortiOS v7.4.0 :
diagnose debug disable
For v7.4.0 and above :
diagnose debug disable
The debug output shows the error 'peer has not completed Configuration Method':
To disable the debugs, use the commands below:
diagnose debug disable
This message exchange is done through an established IKE Security Association, but is done before negotiating an IPSEC Security Association, which results in the status seen previously.
Mode Config in an IPsec tunnel is used as an alternative to DHCP over IPsec, allowing dial-up VPN clients and others to obtain IP addresses, network, and DNS configurations from the VPN server. It can be configured on a FortiGate as either a server or a client.
The solution to the error is to ensure that the 'Mode Config' configuration is the same on both peers for negotiation to succeed. If one side has the setting disabled and another has it enabled, it will prevent the IPSEC Security Association from establishing.
One possible reason could be third-party VPN clients, which may not support or properly send the necessary Configuration Payload information while connecting to a server expecting Mode Config, leading to incomplete negotiations.
Another possible reason for the Mode-Config exchange not completing is address exhaustion in the configured address pool that the mode-config server hands out to the connecting client. See related articles below for more information.
Related documents : |
