Troubleshooting Tip: 'Unable to setup VPN' error when using IPsec Wizard

calink · ‎08-29-2024

Description

This article describes why recreating an IPsec VPN may fail with an error 'Unable to setup VPN' when using the IPsec Wizard due to duplicate elements from the previous IPsec VPN with the same name which already exists.

Scope

FortiGate.

Solution

An error 'Unable to Setup VPN' appears in the last step when recreating a VPN using the IPsec Wizard template when using the same IPsec name as the old one.

The IPsec Wizard is unable to create the local address group as there is already a local address object and address group from the old VPN configuration that was not deleted. There are other elements from the previous VPN configuration that should be deleted to ensure a smoother VPN setup.

Unable to setup VPN.png

A simple fix for this is to use a new IPsec VPN name when recreating the VPN. If using the same name, then remove all VPN tunnel references from the previous VPN configuration, VPN tunnel itself, local address (including address group), and the blackhole found in static routes.

Delete all references for the IPsec Phase1 interface (Firewall Policy & Phase2 Interface and Static Route).

Delete the VPN tunnel.

delete Test-VPN-tunnel.png

Delete the Blackhole in the Static Routes (Network -> Static Routes).

delete blackhole.png

Delete the local address objects and the address group. If this configuration is not deleted, it will later cause a conflict when the IPsec VPN wizard attempts to recreate the same objects.

Try creating the VPN again. It should now be set up successfully.