FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff
Article Id 403048
Description

This article describes an issue when VPN users cannot connect to an IPsec VPN from FortiClient.

Scope FortiGate.
Solution

IKE debugs on FortiGate show the following messages (outputs truncated): 

 

diagnose debug reset
diagnose debug application ike -1
diagnose debug enable

ike V=root:0:Dialup:0: responder: aggressive mode get 2nd response...
ike V=root:0:Dialup:0: PSK authentication succeeded           <----- Pre-shared key is correct. 
ike V=root:0:Dialup:0: authentication OK
ike V=root:0:Dialup: IPv4 pool is not configured              <----- No 'Client Address Range' configured. 
ike V=root:0:Dialup: IPv6 pool is not configured

ike V=root:0:Dialup_0:0: received XAUTH_USER_NAME 'guest' length 5
ike V=root:0:Dialup_0:0: received XAUTH_USER_PASSWORD length 6
ike V=root:0:Dialup_0: XAUTH user "guest"
ike V=root:0:Dialup: auth group Guest-group
ike V=root:0:Dialup_0: XAUTH 8882150748161 pending
ike V=root:0:Dialup_0:0: XAUTH 8882150748161 result FNBAM_SUCCESS
ike V=root:0:Dialup_0: XAUTH succeeded for user "guest" group "Guest-group" 2FA=no

ike V=root:0: comes 192.168.x.x:500->192.168.x.x:500,ifindex=5,vrf=0,len=156....

ike V=root:0:Dialup_0:0: mode-cfg type 1 request 0:''
ike V=root:0:Dialup_0:0: mode-cfg not enabled, ignoring Configuration Method Request 

 

Once the debug is complete, use the following command to stop the debug:

 

diagnose debug disable

diagnose debug reset

 

The IKE debug outputs indicate that 'Mode Config' is not enabled and 'Client Address Range' is not configured. 

 

To resolve the issue, enable 'Mode Config' and configure 'Client Address Range' under VPN -> IPsec Tunnel -> Edit the IPsec tunnel. 

 

Dialup.PNG

 

To do it in the CLI: 

 

config vpn ipsec phase1-interface
    edit "Dialup"
        set mode-cfg enable
        set ipv4-start-ip 192.168.13.1
        set ipv4-end-ip 192.168.13.10
    next
end

 

Related articles: 

Technical Tip: How to enable IKE debugging with various debug levels using a bitmask to isolate spec...