Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jfbueno
New Contributor II

Can't connect to IPsec VPN in Windows 11

I wasn't able to connect to an IPsec VPN through FortiClient VPN (7.0.2.0090 free) when updated to Windows 11 (build 22000), SSL VPNs were working fine. When I downgraded to Windows 10 (21h2 build 19044.1415) the IPsec VPN started working again.

 

This is the error that I got on FortiClient

 

error.png

And this is the log that I exported

 

 

 

12/28/2021 4:02:55 PM	info	sslvpn	date=2021-12-28 time=16:02:54 logver=1 id=96602 type=securityevent subtype=sslvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="SSLVPN service started successfully" vpnstate=

12/28/2021 4:03:04 PM	info	system	date=2021-12-28 time=16:03:03 logver=1 id=96823 type=systemevent subtype=system eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="Checking for updates"

12/28/2021 4:04:26 PM	info	ipsecvpn	date=2021-12-28 time=16:04:25 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="loc_ip=192.168.100.2 loc_port=500 rem_ip=<vpn-external-ip> rem_port=500 out_if=0 vpn_tunnel=RS IPsec action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success Initiator: sent <vpn-external-ip> aggressive mode message #1 (OK)" vpntunnel="RS IPsec"

12/28/2021 4:04:38 PM	warning	ipsecvpn	date=2021-12-28 time=16:04:37 logver=1 id=96561 type=securityevent subtype=ipsecvpn eventtype=error level=warning uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="No response from the peer, phase1 retransmit reaches maximum count" vpntunnel="RS IPsec" locip=192.168.100.2 locport=500 remip=<vpn-external-ip> remport=500

 

 

 

This is a log exported after a successful connection (in W10)

 

 

12/30/2021 8:24:23 AM	info	ipsecvpn	date=2021-12-30 time=08:24:22 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=<my-external-ip> devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 10 , 64-bit (build 19041)" user=bueno msg="loc_ip=192.168.100.2 loc_port=4500 rem_ip=<vpn-external-ip> rem_port=4500 out_if=0 vpn_tunnel=CIEE-RS action=negotiate init=local mode=quick stage=2 dir=outbound status=success Initiator: sent <vpn-external-ip> quick mode message #2 (DONE)" vpntunnel=CIEE-RS

 

 

In this log the loc_port and rem_port are different (4500, in the other log it's 500), also the deviceip is my external IP, not a local IP (that doesn't look like an IP that my machine would be using).

 

I don't know if that's causing the problem, but it's all I can find.

 

Does anyone have any tips?

 

1 Solution
SkepticSensei

I figured out the issue. It is a Windows 11 Ethernet driver issue. 

Wifi connects to VPN, Ethernet via USB to Eth adapter works. 

I downgraded to Win10 Realtek 10.54 driver version.

That fixed the issue for me.

 

Realtek PCIe FE / GBE / 2.5G / Gaming Ethernet Family Controller Software - REALTEK

 

 

let me know if this works for anyone else. 

View solution in original post

37 REPLIES 37
Debbie_FTNT
Staff
Staff

Hey jfbueno,

in the non-working snippet, there is this:

msg="No response from the peer, phase1 retransmit reaches maximum count"

that indicates your FortiClient is not getting a response from whatever VPN server it is trying to reach. Can you do the following?
- google "what is my IP" on the client to figure out your public IP
- on the VPN server, capture traffic for that public IP and port 500/4500 (IPSec VPN should start at port 500 and then move to 4500 if NAT is detected, as it should be in your case)
- that should give you some idea where establishing the tunnel breaks down

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
jfbueno
New Contributor II

Hey, Debbie.

 

Since this is a third-party VPN where I am an external contractor I will contact them and try to run these tests on the VPN server.

Thanks!


rikasobe
New Contributor

@jfbueno @Debbie_FTNT We have same problem, but we detect that it only happens when use wired network, with wireless network it works correctly. Did you solve the problem? 

Debbie_FTNT

Hey rikasobe,

I haven't heard back from jfbueno, and I did not encounter this issue myself, I just offered a troubleshooting suggestion based on the debug output jfbueno provided. If you get the same 'no response from remote peer', that usually indicates that the initial packets get lost somewhere, and I would suggest troubleshooting this as a possible network issue (ie VPN does not reach remote VPN server or response does not make it back).

If you get a different error, you might want to open a ticket with Fortinet Technical Support (if the VPN server is a FortiGate or your FortiClients are managed by EMS) or a new forum post.

Hope that helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
jfbueno
New Contributor II

Hey. I couldn't perform the tests that Debbie asked me to...

 

Since the connection is working flawlessly with Windows 10, I just decided to keep using it for a while.

jfbueno
New Contributor II

Just to contribute.

 

I just tried to use same VPN connection that showed problem in my original post using another computer with Windows 11 and it worked as expected (using WiFi and wired).

Given that, I'm assuming the problem is related to this specific machine, but I won't perform any tests soon because I don't want to move to Win 11 and then downgrade again.

SkepticSensei

Wanted to reply specifically so you get a notification, We had the same issue, I found in my case it was a Win11 Ethernet driver issue. I downgraded to a Win10 driver and it worked. Hope it works for you too.

Debbie_FTNT

Thank you for sharing, sensei :).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mdilena
New Contributor

Hi all,

 

just encountered this issue myself today, I started working for a company that uses forticlient vpn and, under Windows 11 and same build number, it cannot connect through ethernet, while Wi-Fi works correctly.

Did anyone find a solution to this yet, which doesn't require downgrading to Win 10 as I can't do that?

 

Thank you!

Labels
Top Kudoed Authors