Anne
New Contributor III

IPSec tunnel lAN-to-LAN

Hi there, I have setup a new vpn ipsec tunnel between two fortigates running 5.0.3. SA proposal chosen, matched gateway PROD_VPN_P1 DPD negotiated peer is Fortigate/FortiOS (v5 b208) and then I get the following message in the debugs ike 0:PROD_VPN_P1:2806: remote address a.b.c.d does not match configuration address a.b.y.z, drop Not sure whats happening. Thanks Anne
1 Solution
dnayak_FTNT
Staff
Staff

Hi, 

 

Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

 

Regards,

Deepak

View solution in original post

7 REPLIES 7
Anne
New Contributor III

a.b.c.d is the public ip of the local peer and a.b.y.z the public ip of the remote fortigate
zeki893
New Contributor II

I'm having the same problem. The error doesn't make much sense since the remote address is a.b.y.z. but the error says the remote address a.b.c.d.

dnayak_FTNT
Staff
Staff

Hi, 

 

Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

 

Regards,

Deepak

zeki893
New Contributor II

omg your right, an old VIP that I wasn't using was somehow being used for that VPN.

thanks!

sohrab
New Contributor

i am facing an issue in site to site ipsec vpn, tunnel is up , and i can access remote LAN. but remote lan can not access me, although the policies which i made for remote lan, in that policy i allowed access for remote lan, but still other party is unable to access my lan, can any body guide me what can be the issue.

thank you in advance.

emnoc
Esteemed Contributor III

The diag debug flow is your 1st command and step in diagnostics. I would execute it and review the output. I would suspect the fwpolicy-id ordering or lack or incorrect route

 

 

PCNSE 

NSE 

StrongSwan  

kenneth_li

Hi,

 

I meet the error as well , there is a Cisco router 2911 build site to site VPN to fortigate 500D . It's not work and I enable debug on fortigate , I found the error "remote address 218.207.163.181 does not match configuration address 112.5.54.2, drop" . there is nothing VIP config about 218.207.163.181 . IP 112.5.54.2 is router's public IP.

 

BR

Kenneth