Fortinet Community

sw2090 · ‎05-09-2023

I just found out this issue:

I set up a dial up IPSec. It is configured to do ike v2 and only accept one specific peer id.

I then downloaded and installed latest FortiClient VPN 7 (as I just need VPN for testing this).

I configured that IPSec in my FortiClient and tried to connect. This failed.

Looking in the ike debug log on my FGT I saw that on my connection attempt there ~~was no peer id sent at all.~~

that the peer id is submitted by the FortiClient but the timing is wrong. Accoarding to th log the peer id was submitted way after it already negotiated proposals and matched a (wrong) gateway.

In consequence the request matched a wrong gateway and due to that then psk auth failed.

If I reconfigure that IPSec to do ike v1 instead with the rest set all the same as before and then again try to connect my FortiClient then it connects successfully. IKE Debug log on the FGT then shows that in the connection attempt the correct peer id had been submitted and it matched the correct gateway.

So I gues that is a nasty bug in FortiClient. You can configure it to a specific peer id even in ike v2 but it seems to never send that to the remote gateway. This is very very bad behaviour if you need to use more then one dial up ipsec....

I also opened a ticket with TAC on this...we'll see what they say.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Anthony_E · ‎05-14-2023

Hello,

Thanks a lot ( as usual) for your contribution and your help.

Could you please share what the TAC will say?

Thanks a lot in advance.

Regards,

Anthony-Fortinet Community Team.

sw2090 · ‎05-23-2023

actually what I wrote is not correct: Forticlient 7 does send a peer id in ikev2 but in fact the timing is wrong. It is sent but it is sent too late (I see it in log way after it already negotiated proposals and matched a tunnel).

If TAC says something helpful I will share it here.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Anthony_E · ‎05-23-2023

Thank you! you can edit your first message if you need or if you prefer I can delete it.

Regards,

Anthony-Fortinet Community Team.

sw2090 · ‎05-23-2023

I've edited the post now.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

OmariShane · ‎05-26-2023

You have taken the right step by opening a ticket with Fortinet's TAC (Technical Assistance Center). They will be able to provide further insights and assistance in resolving the issue. Their expertise in Fortinet products will help in identifying the root cause and providing a suitable solution or workaround.

sw2090 · ‎06-05-2023

in my case there is a (limited) workaround. Since we have a direct wan connection that terminates on the fgt itself and has a /29 subnet of wan ips available I can put up a 2nd ip address on that wan and make the ipsec just listen to that (set local gateway...) and since there is no other ipsec listening on this ip I then don't need a peer id.

However this is limited and only works with directly connected wans. It doesn't work if there is a router between fgt and internet.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Fortinet Community

FortiClient 7 bug with peer id?