Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anandafajar16
New Contributor

Created on ‎07-09-2025 09:58 PM

Cant create IPsec VPN Remote Access

Hey guys,

 

I'm trying to get an IPsec VPN working for a client since their new FortiOS firmware dropped SSL-VPN support.

Here's the problem: The very first time I built the IPsec VPN, it looked like it connected, but I couldn't actually get to the internet or my DNS server through the FortiGate. Thinking it was a glitch, I ended up deleting it, re-making it, and deleting it a few times. Now I'm getting this persistent error when I try to set it up:

"Unable to setup VPN. The rollback process has encountered an error. Orphaned objects may still exist in the configuration database."

 

I've made sure to clean up everything after deleting the VPN each time – references, static routes, firewall policies, address – but this "orphaned objects" error just won't go away.

 

Has anyone seen this before or know how to fix it? Any help would be awesome

picture.png

Labels:
714
0 Kudos
7 REPLIES 7
funkylicious
SuperUser
SuperUser

Created on ‎07-09-2025 10:39 PM Edited on ‎07-09-2025 10:39 PM

hi,

when creating the vpn try choosing custom instead of remote access, it would do in the end the same settings, but you wont have the wizard being displayed while creating.

"jack of all trades, master of none"
"jack of all trades, master of none"
685
GJStefou
New Contributor II

Created on ‎07-10-2025 03:01 AM

Hello, 

 

Have been there a lot of times..... and i was always missing something on the references when deleting the VPN tunnel.

Try to delete all the references again and reboot your Firewal after, it may have cached something. 

Additionally, In whitch version is you FGT now ? 

 

Regarding the "Cannot Access the Internet" issue, you can enable the splitt tunneling on the IPsec Tunnel so all the unrelated traffic would be routed throught the local network and not the IPSec VPN Tunnel. Just to be on the safe side, i allways create a firewall policy on the FGT to allow access from the IPSec VPN tunnel to WAN just in case the splitt tunneling doesn't work for some reason. That allows my remote devices to have access to the internet throught the IPSec tunnel and not the local network. 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192...

 

The other thing for your DNS issue, you can spesify the DNS server you want to use on the IPSec VPN tunnel settings so the devices will use the spesified server as DNS. 

 

Hope this helps! 

 

638
anandafajar16
New Contributor
In response to GJStefou

Created on ‎07-10-2025 03:46 AM

Yeah, I guess I'll try restarting my FortiGate first and then try again. I'm using the FortiGate's DNS server feature, and I'm not sure which one I should use for the DNS server settings in the configuration.

620
0 Kudos
GJStefou
New Contributor II
In response to anandafajar16

Created on ‎07-10-2025 05:55 AM

It doesn't matter what you're using on the FortiGate to be honest. 

 

It depends on the setup of your internal network setup. 

If there is any domain controller (AD Server) on your internal network that does the DNS and you need access to that domain controller (i.e for accessing some domian user profiles over VPN) you would need to spoesify the server address as a DNS Server on the IPSec VPN tunnel configuration.

In any other case, you can just leave the default config.

 

If you could provide some details on the case and the VPN use, it would help us to guide you better. 

585
0 Kudos
anandafajar16
New Contributor
In response to GJStefou

Created on ‎07-10-2025 07:22 PM

I just need to access my local servers. I'm currently using the DNS Server offered by Fortigate, and I'm not using an AD Server for VPN authentication

picture3.png

539
0 Kudos
anandafajar16
New Contributor
In response to GJStefou

Created on ‎07-10-2025 03:48 AM

I'm currently using firmware 7.0.9, but I want to try IPSec VPN first and upgrade my firmware once the VPN is stable

615
0 Kudos
GJStefou
New Contributor II
In response to anandafajar16

Created on ‎07-10-2025 05:49 AM

FortiOS 7.0 is very oudated, i had to upgrade a couple Firewalls to 7.2 at least to make the IPSec VPN work properly. 

I have seen very weird issues with it and it's allways a good practice to have your equipment up to date. 

 

I would recomend to upgrade your FGT to 7.2 on the latest patch and use an older version of FortiClientVPN.  

590
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.