Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
js91
New Contributor

Unable to setup IPSec Remote Access VPN

Hello all,

 

I am trying to set up IPSec Dialup VPN. I have downloaded the FortiGate VM version 6.4 and have FortiClient 6.0.5. I have done the configurations as per guides and followed some youtube videos for understanding.

 

However, I am unable to make it work and stuck. On FortiClient, I get the following error:

 

"VPN connection failed. Please check your configuration, network connection and pre-shared key then retry you connection. If the problem persists, contact your network administrator for help."

 

On FortiGate CLI, I get the following logs with debugging enabled:

 

FortiGate-VM64 # ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....

ike 0: IKEv2 exchange=SA_INIT id=a20511ee474b2950/0000000000000000 len=428 ike 0: in A20511EE474B295000000000000000002120220800000000000001AC2200005402000028010100040300000801000002030000080200000203000008030000020000000804000005000000280201000403000008010000020300000802000005030000080300000C0000000804000005280000C800050000C0D448858F6E8C21E68CDCCAA3EE84A229E439A0F49E666E3CD864112868B385B4D1E088332241817EAE9B21D8DED06F97C99DCD6B464B4D57EFCA4248B8D4825D2B7E7E965990297DAD47DCB81DDF8DDA862E45815FA88CE16009533B80B286FE6C84A157889D98708A10FCD7BE8814FD7DBD6270D13472F7C24BDEFD17B59A0107FDC54C0694DE3BAD200AEFC9964D7CBB586B4138E7AA41E871505CEE5E4368393266F2712D18AEF3921D44B85B54221B6DA054EFA5C9866EBFF73076CB302B000014FD962DC50AE8EF7D0B2CF8C65B325CBD2B0000144C53427B6D465D1B337BB755A37A7FEF29000014B4F01CA951E9DA8D0BAFBBD34AD3044E2900001C00004004E0F8879208723CB28770AEDB1A29B0CAE41571420000001C00004005E6BBF6BD24D8BCA3AB795F4A31A54D9EB7327932 ike 0:a20511ee474b2950/0000000000000000:71: responder received SA_INIT msg ike 0:a20511ee474b2950/0000000000000000:71: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF ike 0:a20511ee474b2950/0000000000000000:71: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_SOURCE_IP ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_DESTINATION_IP ike 0:a20511ee474b2950/0000000000000000:71: incoming proposal: ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 2: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: matched proposal id 1 ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: lifetime=86400 ike 0:a20511ee474b2950/0000000000000000:71: SA proposal chosen, matched gateway IPSECVPN ike 0:IPSECVPN: created connection: 0xc59a950 4 192.168.10.5->192.168.10.50:500. ike 0:IPSECVPN: HA L3 state 1/0 ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_SOURCE_IP ike 0:IPSECVPN:71: processing NAT-D payload ike 0:IPSECVPN:71: NAT not detected ike 0:IPSECVPN:71: process NAT-D ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:IPSECVPN:71: processing NAT-D payload ike 0:IPSECVPN:71: NAT not detected ike 0:IPSECVPN:71: process NAT-D ike 0:IPSECVPN:71: enable FortiClient endpoint compliance check, use 10.10.10.10 ike 0:IPSECVPN:71: responder preparing SA_INIT msg ike 0:IPSECVPN:71: out A20511EE474B295093648E582E8BEA7C21202220000000000000015C2200002C00000028010100040300000801000002030000080200000203000008030000020000000804000005280000C800050000D216747DF7034B0F76323CC6DBDD41719687B9667463B8DAD252E5B7381407EA80DD104551DFBBA094C7FC0E8771505D9DC0FDA8ACFE43056E650DA9189330AD81A9A7ADCAA7DE004D6EFEEABBB5BF496E4EEFB2A1BAAF484B4CFDA3DED282F60B4CD1040EE921C2CD3DB45292BDE5FA9429F881D3AFD504078299F88019834A11A6D9D98D607BF37C19746103AD8B4219D86DF26AB624CE706DEBA6CA5E63DDFBD63F2F9F75D3B4111D4FF841632FB6FDCB0D67DA6596D08292D4F469BD8D05290000144E8998F2AB9900D9811C2E60A75117CE2900001C00004004D17F862FB62274F299D96A88374E9079DC0142130000001C00004005C45180DA3778084B454FA63BF35201D38F4C40EC ike 0:IPSECVPN:71: sent IKE msg (SA_INIT_RESPONSE): 192.168.10.5:500->192.168.10.50:500, len=348, id=a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ei 8:AF6280DC5B063F49 ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_er 8:25804A503CD26B9B ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ai 20:43D47C3D0E103AB78D997949C0748BCCD4684C35 ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ar 20:E3FAB0875756F0D84F469C1A7FB6EFCC51417302 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0:IPSECVPN:71: dec A20511EE474B295093648E582E8BEA7C2E20230800000001000000F0230000042900000C01000000C0A80A322F000008000040002100004001000000000700104643543830303231313430303137323200010000000200000003000000040000000D000070010000540A0000540B0000700000002C00004C02000024010304033F045CEF0300000801000002030000080300000C000000080500000000000024020304033F045CEF0300000801000002030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF ike 0:IPSECVPN:71: responder received AUTH msg ike 0:IPSECVPN:71: processing notify type INITIAL_CONTACT ike 0:IPSECVPN:71: peer identifier IPV4_ADDR 192.168.10.50 ike 0:IPSECVPN:71: re-validate gw ID ike 0:IPSECVPN:71: gw validation failed ike 0:IPSECVPN:71: schedule delete of IKE SA a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN:71: scheduled delete of IKE SA a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN: connection expiring due to phase1 down ike 0:IPSECVPN: deleting ike 0:IPSECVPN: deleted ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike shrank heap by 159744 bytes ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001

 

As it says gw validation failed, what could be the issue?

 

Waiting for kind response,

 

Regards,

 

0 REPLIES 0
Labels
Top Kudoed Authors