Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jfbueno
New Contributor II

Can't connect to IPsec VPN in Windows 11

I wasn't able to connect to an IPsec VPN through FortiClient VPN (7.0.2.0090 free) when updated to Windows 11 (build 22000), SSL VPNs were working fine. When I downgraded to Windows 10 (21h2 build 19044.1415) the IPsec VPN started working again.

 

This is the error that I got on FortiClient

 

error.png

And this is the log that I exported

 

 

 

12/28/2021 4:02:55 PM	info	sslvpn	date=2021-12-28 time=16:02:54 logver=1 id=96602 type=securityevent subtype=sslvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="SSLVPN service started successfully" vpnstate=

12/28/2021 4:03:04 PM	info	system	date=2021-12-28 time=16:03:03 logver=1 id=96823 type=systemevent subtype=system eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="Checking for updates"

12/28/2021 4:04:26 PM	info	ipsecvpn	date=2021-12-28 time=16:04:25 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="loc_ip=192.168.100.2 loc_port=500 rem_ip=<vpn-external-ip> rem_port=500 out_if=0 vpn_tunnel=RS IPsec action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success Initiator: sent <vpn-external-ip> aggressive mode message #1 (OK)" vpntunnel="RS IPsec"

12/28/2021 4:04:38 PM	warning	ipsecvpn	date=2021-12-28 time=16:04:37 logver=1 id=96561 type=securityevent subtype=ipsecvpn eventtype=error level=warning uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="No response from the peer, phase1 retransmit reaches maximum count" vpntunnel="RS IPsec" locip=192.168.100.2 locport=500 remip=<vpn-external-ip> remport=500

 

 

 

This is a log exported after a successful connection (in W10)

 

 

12/30/2021 8:24:23 AM	info	ipsecvpn	date=2021-12-30 time=08:24:22 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=<my-external-ip> devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 10 , 64-bit (build 19041)" user=bueno msg="loc_ip=192.168.100.2 loc_port=4500 rem_ip=<vpn-external-ip> rem_port=4500 out_if=0 vpn_tunnel=CIEE-RS action=negotiate init=local mode=quick stage=2 dir=outbound status=success Initiator: sent <vpn-external-ip> quick mode message #2 (DONE)" vpntunnel=CIEE-RS

 

 

In this log the loc_port and rem_port are different (4500, in the other log it's 500), also the deviceip is my external IP, not a local IP (that doesn't look like an IP that my machine would be using).

 

I don't know if that's causing the problem, but it's all I can find.

 

Does anyone have any tips?

 

1 Solution
SkepticSensei

I figured out the issue. It is a Windows 11 Ethernet driver issue. 

Wifi connects to VPN, Ethernet via USB to Eth adapter works. 

I downgraded to Win10 Realtek 10.54 driver version.

That fixed the issue for me.

 

Realtek PCIe FE / GBE / 2.5G / Gaming Ethernet Family Controller Software - REALTEK

 

 

let me know if this works for anyone else. 

View solution in original post

37 REPLIES 37
BillWabo
New Contributor II

Fortinet know the problem.

 

Fortinet Answer: "...there will be no fix from the forticlient side as this is not a forticlient issue.This issue is with Realtek drivers and a drivers update might fix the issue.To avoid this issue, try not to use the latest Realtek driver, it has the bug, just use the driver that comes with Windows and that should work."

 

There is a new Driver from Realtek 2023/02/24 version 124.011 , 1125.011 , 1166.011 , 1168.011 and it's not fixed.

 

I tried to contact Realtek about it... no answer...So good luck to reach Realtek about it!

 

Windows 10 driver on windows 11 works fine.

gs1
New Contributor

wow... just wasted half a day because of this. thanks SkepticSensei for the workaround. absolutely crazy that this still is an issue and nobody cares :(

dfeifer
New Contributor II

Just ran in to this problem with a brand new intel AX211 so this is more than just a realtek issue. 

Going to have to try setting up a windows native ipsec policy on our 301E to see if ruling out forticlient makes a difference. 2 Lenovo laptops next to each other on the same network. same forticlient version 7.0.8. intel ac9560 connects with no issue. ax211 will not.

I am starting to move my userbase to autopilot and I definitely need the vpn to be dependable and work.

 

oh, and this is probably the 5th time in the past month or two that I have run in to this. This is just the first time that installing the manufacturers drivers over oem hasn't worked.

sysram
New Contributor II

Hi

 

We could solve that problem with the Realtek USB GbE Family Controller by Downgrading to the Win10 driver 10.54.

But now I have the same problem with Realtek PCIe GbE Family Controller.
I tried the 10.54 driver, but it did not solve the problem.
I also tried FortiClient 7.0.2, 7.0.7 and 7.0.9 -> always the same problem.
Over WiFi it works perfectly.

Any other idea how to solve it?

dfeifer
New Contributor II

Yea, this is getting really annoying. Especially when you are getting new computers with new hardware that only has windows 10/11 combo drivers available. I swear it is some form of change or update to the IPsec stack that Fortinet isn't taking in to account that doesn't exist in the older drivers. Especially since I am having this issue across multiple vendors. Realtek/Intel/Qualcomm

VincentCA

Yeah, and I'm using Killer wifi network adapter. And just like you, others in my workplace are using other vendors like Realtek/intel/qualcomm...
I don't mind using SSL, but I can't get split tunneling to work with that setup and the Fortinet team couldn't get it to work for me either.

goneriding
New Contributor II

I thought the driver was our problem but it ended up being Cisco Umbrella Roaming Client.  The driver change update would reset the adapter and fix temporarily.  I hope this helps someone else.

sysram
New Contributor II

FortiClient 7.2.3 was announced with a fix for this Problem.
I was able to fix that now also with the PCI-E Device but only with the 10.68 driver

Top Kudoed Authors