Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎07-24-2025 07:42 AM Edited on ‎11-28-2025 04:35 AM By Community Manager

Article Id 403048

Troubleshooting Tip: Users cannot connect to a Dial-up IPsec VPN with 'IPv4 pool is not configured' message in IKE debug

Description

This article describes an issue when VPN users cannot connect to an IPsec VPN from FortiClient.
Scope FortiGate.
Solution

IKE debugs on FortiGate show the following messages (outputs truncated): 

 

diagnose debug reset
diagnose debug application ike -1
diagnose debug enable

ike V=root:0:Dialup:0: responder: aggressive mode get 2nd response...
ike V=root:0:Dialup:0: PSK authentication succeeded           <----- Pre-shared key is correct. 
ike V=root:0:Dialup:0: authentication OK
ike V=root:0:Dialup: IPv4 pool is not configured              <----- No 'Client Address Range' configured. 
ike V=root:0:Dialup: IPv6 pool is not configured

ike V=root:0:Dialup_0:0: received XAUTH_USER_NAME 'guest' length 5
ike V=root:0:Dialup_0:0: received XAUTH_USER_PASSWORD length 6
ike V=root:0:Dialup_0: XAUTH user "guest"
ike V=root:0:Dialup: auth group Guest-group
ike V=root:0:Dialup_0: XAUTH 8882150748161 pending
ike V=root:0:Dialup_0:0: XAUTH 8882150748161 result FNBAM_SUCCESS
ike V=root:0:Dialup_0: XAUTH succeeded for user "guest" group "Guest-group" 2FA=no

ike V=root:0: comes 192.168.x.x:500->192.168.x.x:500,ifindex=5,vrf=0,len=156....

ike V=root:0:Dialup_0:0: mode-cfg type 1 request 0:''
ike V=root:0:Dialup_0:0: mode-cfg not enabled, ignoring Configuration Method Request 

 

Once the debug is complete, use the following command to stop the debug:

 

diagnose debug disable

diagnose debug reset

 

The IKE debug outputs indicate that 'Mode Config' is not enabled and 'Client Address Range' is not configured. 

 

To resolve the issue, enable 'Mode Config' and configure 'Client Address Range' under VPN -> IPsec Tunnel -> Edit the IPsec tunnel. 

 

Dialup.PNG

 

To do it in the CLI: 

 

config vpn ipsec phase1-interface
    edit "Dialup"
        set mode-cfg enable
        set ipv4-start-ip 192.168.13.1
        set ipv4-end-ip 192.168.13.10
    next
end

 

Note: When running the debug commands, the output can be filtered with the client public IP:

 

diagnose debug reset

diagnose vpn ike log-filter dst-addr4 <CLIENT_PUBLIC_IP>

diagnose debug application ike -1

diagnose debug enable

 

Once debugging is complete, use the following command to stop the processes:

 

diagnose debug disable

diagnose debug reset

 

To check the IKE statistics:

   

get vpn ike stats

 

Sniffer the traffic:

 

diagnose sniffer packet any "udp port 500 or udp port 4500" 4

 

Related articles: 

Technical Tip: How to enable IKE debugging with various debug levels using a bitmask to isolate spec...
Labels:
626
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.