Hi all,
I am trying to get my FortiClient IPSec VPN working, but so far without success. I'm using FortiClient 7.0.3.0193 on Windows 10. I have configured the IPSec connection the way the firewall admin told me, but everytime I click on connect it just gets stuck forever at "Status: connecting" without establishing the connection. At the same time, the client kills almost all IPv4 and IPv6 connections from/to my laptop, so I lose all network connectivity until I click on disconnect. The only connection on my laptop that remains online and pingable during the connection phase is the link-local IPv6 address. All other outgoing and incoming pings from and to my machine fail, but as soon as I click disconnect all addresses are pingable and the system goes online again.
At first I thought it was a problem with the credentials so I tested it with identical setting in a Windows 10 VM and there it works perfectly fine. VPN gets established and internet connection remains functional.
What am I missing? I'm thinking it could be some sort of routing issue, perhaps...?
//edit:
I just noticed that the problem only exists when the laptop is connected to my home WiFi. When I connected to my iPhone hotspot instead, it worked immediately. However, the VM I used for testing (mentioned above) is running on the same laptop, so technically it uses the same internet gateway (meaning that it can not be an issue with the router).
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Update on this. Together with my FortiGate Admin we were able to find and resolve the issue. It was caused by a running service from another VPN client I had installed on my laptop (AVM FRITZ!Box). This client installs 3 services in Windows which are always running even when the client itself is terminated:
AVM FRITZ!Fernzugang Cert Service
AVM FRITZ!Fernzugang Client
AVM FRITZ!Fernzugang IKE Service
Stopping these services resolved the issue. I think it was probably the IKE Service which was blocking access to some IPSec modules in the OS.
Anyone....?
Could you please provide me the routing table information(Before and after connecting the Forticlient) during the issue?
The routing table does not change during the connection attempt, so I guess it gets stuck before it even reaches this step. The routes are:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.22 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 192.168.178.22 51
169.254.0.0 255.255.0.0 On-link 172.17.2.1 36
169.254.0.0 255.255.0.0 On-link 192.168.198.1 36
169.254.255.255 255.255.255.255 On-link 192.168.178.22 306
169.254.255.255 255.255.255.255 On-link 172.17.2.1 291
169.254.255.255 255.255.255.255 On-link 192.168.198.1 291
172.17.2.0 255.255.255.0 On-link 172.17.2.1 291
172.17.2.1 255.255.255.255 On-link 172.17.2.1 291
172.17.2.255 255.255.255.255 On-link 172.17.2.1 291
172.17.3.0 255.255.255.0 On-link 172.17.3.1 291
172.17.3.1 255.255.255.255 On-link 172.17.3.1 291
172.17.3.255 255.255.255.255 On-link 172.17.3.1 291
192.168.111.0 255.255.255.0 On-link 192.168.111.1 291
192.168.111.1 255.255.255.255 On-link 192.168.111.1 291
192.168.111.255 255.255.255.255 On-link 192.168.111.1 291
192.168.178.0 255.255.255.0 On-link 192.168.178.22 306
192.168.178.22 255.255.255.255 On-link 192.168.178.22 306
192.168.178.255 255.255.255.255 On-link 192.168.178.22 306
192.168.198.0 255.255.255.0 On-link 192.168.198.1 291
192.168.198.1 255.255.255.255 On-link 192.168.198.1 291
192.168.198.255 255.255.255.255 On-link 192.168.198.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.178.22 306
224.0.0.0 240.0.0.0 On-link 172.17.2.1 291
224.0.0.0 240.0.0.0 On-link 172.17.3.1 291
224.0.0.0 240.0.0.0 On-link 192.168.111.1 291
224.0.0.0 240.0.0.0 On-link 192.168.198.1 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.178.22 306
255.255.255.255 255.255.255.255 On-link 172.17.2.1 291
255.255.255.255 255.255.255.255 On-link 172.17.3.1 291
255.255.255.255 255.255.255.255 On-link 192.168.111.1 291
255.255.255.255 255.255.255.255 On-link 192.168.198.1 291
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 172.17.2.1 1
169.254.0.0 255.255.0.0 192.168.178.22 1
169.254.0.0 255.255.0.0 192.168.198.1 1
===========================================================================
Notes:
The following networks are from virtual VMware network devices:
I have also tried to deactivate all VMware interfaces before connecting because I thought they might cause conflicts on the routing table, but result is the same.
//edit:
During connection attempt the error logs keeps showing:
16.05.2022 21:28:43 error ipsecvpn date=2022-05-16 time=21:28:42 logver=1 id=96567 type=securityevent subtype=ipsecvpn eventtype=error level=error uid=D745A960E19C45AE9FDDCA96C5DF107E devid=FCT8003921876807 hostname=mylaptop pcdomain=N/A deviceip=192.168.198.1 devicemac=00-50-56-c0-00-08 site=N/A fctver=7.0.3.0193 fgtserial=FCT8003921876807 emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=MyName msg="loc_ip=192.168.178.22 loc_port=500 rem_ip=xx.xx.xx.xx rem_port=500 out_if=0 vpn_tunnel=TunnelName status=negotiate_error init=local mode=xauth_clinet stage=1 dir=outbound status=failureInitiator: sent xx.xx.xx.xx aggressive mode message #1 (ERROR)" vpntunnel="TunnelName"
Nobody seen this error before? I'm still stuck here trying to get it to work...
Hi Team,
It is an expected behavior, whenever you are trying to establish ipsec vpn only ports 400 and 4500 will be open in that machine and rest of all ports will be blocked
In order to change this behavior
Step 1:
Open FCT, navigate to settings, create a backup of the configuration and make a copy of this file as we will be making some changes.
Step 2:
Edit the XML file > Search for the IPSEC section with keyword <implied_SPDO> for the ISPEC profile that you used and edit the following highlighted value then save the XML file.
Change the <implied_SPDO> to "1" and the <implied_SPDO_timeout> to "60", the value is in second and 60 seconds should be sufficient for the PC to receive the OTP Email before the timeout to block other traffic than the IPSEC traffic. In case the PC takes more than 60 seconds to receive the OTP then you must increase the value from 60 to a higher value.
Once the value is set, save the configuration and restore the config to the FCT. Test it with one user PC and let me know if you face any issues.
For your Reference: https://docs.fortinet.com/document/forticlient/6.2.1/xml-reference-guide/96295/ike-settings
Thank you for your reply. Unfortunately, this didn't help either. I have set <implied_SPDO> to "1" and <implied_SPDO_timeout> to "60" and then imported the config from that XML file again but the error persists. Also, I don't use any MFT or OTP with the IPSec VPN. The config just uses a pre-shared key, username and password. It works perfectly fine in my VM, but keeps getting stuck at "Status: connecting" when trying it directly on my laptop.
The suggestion which i said earlier it is for, you mentioned you are not able to connect to any other service when vpn is connecting.
For the VPN stucking related issue, please get these logs at the time of issue:
diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the public ip of VPN from where they are connecting)
diag debug application ike -1
diag debug enable
Then try connecting to vpn it will generate some logs, please disable the debug by executing this command "diag debug disable"
Please share logs with us for further checking
Are those commands I need to run on my client (where the FortiClient is installed) or on the FortiGate firewall?
On the firewall itself.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.