Description |
This article describes an issue when VPN users cannot connect to an IPsec VPN from FortiClient. |
Scope | FortiGate. |
Solution |
IKE debugs on FortiGate show the following messages (outputs truncated):
diagnose debug reset ike V=root:0:Dialup:0: responder: aggressive mode get 2nd response... ike V=root:0:Dialup_0:0: received XAUTH_USER_NAME 'guest' length 5 ike V=root:0: comes 192.168.x.x:500->192.168.x.x:500,ifindex=5,vrf=0,len=156.... ike V=root:0:Dialup_0:0: mode-cfg type 1 request 0:''
Once the debug is complete, use the following command to stop the debug:
diagnose debug disable diagnose debug reset
The IKE debug outputs indicate that 'Mode Config' is not enabled and 'Client Address Range' is not configured.
To resolve the issue, enable 'Mode Config' and configure 'Client Address Range' under VPN -> IPsec Tunnel -> Edit the IPsec tunnel.
To do it in the CLI:
config vpn ipsec phase1-interface
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.