Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Mode config does not provide IP address in 7.0

Hello,

 

I'm trying a dialup IPsec VPN with mode config in 7.0 with FortiClient (7.0 also) and it seems that the client is not provisioned with an IP address. The debug shows that a connection is been established at phase 1, but after a few P1 retransmits it's been dropped with no apparent reason in the debug:

 

ike 0::45: peer identifier IPV4_ADDR 10.153.218.57 ike 0: IKEv1 Aggressive, comes 188.73.246.50:9734->192.168.2.2 5 ike 0:82365da5bbded52f/0000000000000000:45: SA proposal chosen, matched gateway Dialup-2 ike 0:Dialup-2: created connection: 0x6cc0cc8 5 192.168.2.2->188.73.246.50:9734. ike 0:Dialup-2:45: DPD negotiated ike 0:Dialup-2:45: peer supports UNITY ike 0:Dialup-2:45: enable FortiClient license check ike 0:Dialup-2:45: enable FortiClient endpoint compliance check, use 169.254.1.1 ike 0:Dialup-2:45: selected NAT-T version: RFC 3947 ike 0:Dialup-2:45: cookie 82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (agg_r1send): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: negotiation timeout, deleting ike 0:Dialup-2: connection expiring due to phase1 down ike 0:Dialup-2: deleting ike 0:Dialup-2: reset NAT-T ike 0:Dialup-2: deleted

The phase1 configuration is as follows:

config vpn ipsec phase1-interface edit "Dialup-2" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device enable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set xauthtype auto set authusrgrp "Dialup_IPsec" set ipv4-start-ip 10.10.10.1 set ipv4-end-ip 10.10.10.1 set dns-mode auto set ipv4-split-include "Dialup-2_split" set psksecret ...

next end

 

Can anybody explain to me this debugging and the reason the connection is been dropped at phase1? Also, can anybody explain to me this line:

ike 0:Dialup-2:45: enable FortiClient endpoint compliance check, use 169.254.1.1

Where is the 169.254.1.1 coming from?

 

Is there any problem with dialup IPsec in 7.0?

 

Thanks

1 REPLY 1
Kangming
Staff
Staff

Hi

 

There is no problem with my environment here(FOS-VM 7.0.1). It seems that your situation is abnormal communication between UDP 500 and UDP4500 on both sides.

 

#diagnose sniffer packet any "host 192.168.2.2 and (udp port 500 or port 4500)" 4 0 l

 

ike 0:Dialup-2:45: sent IKE msg (agg_r1send): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08 ike 0:Dialup-2:45: sent IKE msg (P1_RETRANSMIT): 192.168.2.2:500->188.73.246.50:9734, len=516, vrf=0, id=82365da5bbded52f/1823ccd635943c08

 

These four packets do not seem to be received by the VPN client. 

 

 

 

Thanks

Kangming

Labels
Top Kudoed Authors