Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiClient IPSec VPN kills all network connection...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient IPSec VPN kills all network connections
Hi all,
I am trying to get my FortiClient IPSec VPN working, but so far without success. I'm using FortiClient 7.0.3.0193 on Windows 10. I have configured the IPSec connection the way the firewall admin told me, but everytime I click on connect it just gets stuck forever at "Status: connecting" without establishing the connection. At the same time, the client kills almost all IPv4 and IPv6 connections from/to my laptop, so I lose all network connectivity until I click on disconnect. The only connection on my laptop that remains online and pingable during the connection phase is the link-local IPv6 address. All other outgoing and incoming pings from and to my machine fail, but as soon as I click disconnect all addresses are pingable and the system goes online again.
At first I thought it was a problem with the credentials so I tested it with identical setting in a Windows 10 VM and there it works perfectly fine. VPN gets established and internet connection remains functional.
What am I missing? I'm thinking it could be some sort of routing issue, perhaps...?
//edit:
I just noticed that the problem only exists when the laptop is connected to my home WiFi. When I connected to my iPhone hotspot instead, it worked immediately. However, the VM I used for testing (mentioned above) is running on the same laptop, so technically it uses the same internet gateway (meaning that it can not be an issue with the router).
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update on this. Together with my FortiGate Admin we were able to find and resolve the issue. It was caused by a running service from another VPN client I had installed on my laptop (AVM FRITZ!Box). This client installs 3 services in Windows which are always running even when the client itself is terminated:
AVM FRITZ!Fernzugang Cert Service
AVM FRITZ!Fernzugang Client
AVM FRITZ!Fernzugang IKE Service
Stopping these services resolved the issue. I think it was probably the IKE Service which was blocking access to some IPSec modules in the OS.
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone....?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please provide me the routing table information(Before and after connecting the Forticlient) during the issue?
Best regards,
ARUNKUMAR.R.
ARUNKUMAR.R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The routing table does not change during the connection attempt, so I guess it gets stuck before it even reaches this step. The routes are:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.22 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 192.168.178.22 51
169.254.0.0 255.255.0.0 On-link 172.17.2.1 36
169.254.0.0 255.255.0.0 On-link 192.168.198.1 36
169.254.255.255 255.255.255.255 On-link 192.168.178.22 306
169.254.255.255 255.255.255.255 On-link 172.17.2.1 291
169.254.255.255 255.255.255.255 On-link 192.168.198.1 291
172.17.2.0 255.255.255.0 On-link 172.17.2.1 291
172.17.2.1 255.255.255.255 On-link 172.17.2.1 291
172.17.2.255 255.255.255.255 On-link 172.17.2.1 291
172.17.3.0 255.255.255.0 On-link 172.17.3.1 291
172.17.3.1 255.255.255.255 On-link 172.17.3.1 291
172.17.3.255 255.255.255.255 On-link 172.17.3.1 291
192.168.111.0 255.255.255.0 On-link 192.168.111.1 291
192.168.111.1 255.255.255.255 On-link 192.168.111.1 291
192.168.111.255 255.255.255.255 On-link 192.168.111.1 291
192.168.178.0 255.255.255.0 On-link 192.168.178.22 306
192.168.178.22 255.255.255.255 On-link 192.168.178.22 306
192.168.178.255 255.255.255.255 On-link 192.168.178.22 306
192.168.198.0 255.255.255.0 On-link 192.168.198.1 291
192.168.198.1 255.255.255.255 On-link 192.168.198.1 291
192.168.198.255 255.255.255.255 On-link 192.168.198.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.178.22 306
224.0.0.0 240.0.0.0 On-link 172.17.2.1 291
224.0.0.0 240.0.0.0 On-link 172.17.3.1 291
224.0.0.0 240.0.0.0 On-link 192.168.111.1 291
224.0.0.0 240.0.0.0 On-link 192.168.198.1 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.178.22 306
255.255.255.255 255.255.255.255 On-link 172.17.2.1 291
255.255.255.255 255.255.255.255 On-link 172.17.3.1 291
255.255.255.255 255.255.255.255 On-link 192.168.111.1 291
255.255.255.255 255.255.255.255 On-link 192.168.198.1 291
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 172.17.2.1 1
169.254.0.0 255.255.0.0 192.168.178.22 1
169.254.0.0 255.255.0.0 192.168.198.1 1
===========================================================================
Notes:
- 192.168.178.1 is the default gateway (my router)
- 192.168.178.22 is my laptop's address
The following networks are from virtual VMware network devices:
- 172.17.2.0/24
- 172.17.3.0/24
- 192.168.111.0/24
- 192.168.198.0/24
I have also tried to deactivate all VMware interfaces before connecting because I thought they might cause conflicts on the routing table, but result is the same.
//edit:
During connection attempt the error logs keeps showing:
16.05.2022 21:28:43 error ipsecvpn date=2022-05-16 time=21:28:42 logver=1 id=96567 type=securityevent subtype=ipsecvpn eventtype=error level=error uid=D745A960E19C45AE9FDDCA96C5DF107E devid=FCT8003921876807 hostname=mylaptop pcdomain=N/A deviceip=192.168.198.1 devicemac=00-50-56-c0-00-08 site=N/A fctver=7.0.3.0193 fgtserial=FCT8003921876807 emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=MyName msg="loc_ip=192.168.178.22 loc_port=500 rem_ip=xx.xx.xx.xx rem_port=500 out_if=0 vpn_tunnel=TunnelName status=negotiate_error init=local mode=xauth_clinet stage=1 dir=outbound status=failureInitiator: sent xx.xx.xx.xx aggressive mode message #1 (ERROR)" vpntunnel="TunnelName"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nobody seen this error before? I'm still stuck here trying to get it to work...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
It is an expected behavior, whenever you are trying to establish ipsec vpn only ports 400 and 4500 will be open in that machine and rest of all ports will be blocked
In order to change this behavior
Step 1:
Open FCT, navigate to settings, create a backup of the configuration and make a copy of this file as we will be making some changes.
Step 2:
Edit the XML file > Search for the IPSEC section with keyword <implied_SPDO> for the ISPEC profile that you used and edit the following highlighted value then save the XML file.
Change the <implied_SPDO> to "1" and the <implied_SPDO_timeout> to "60", the value is in second and 60 seconds should be sufficient for the PC to receive the OTP Email before the timeout to block other traffic than the IPSEC traffic. In case the PC takes more than 60 seconds to receive the OTP then you must increase the value from 60 to a higher value.
Once the value is set, save the configuration and restore the config to the FCT. Test it with one user PC and let me know if you face any issues.
For your Reference: https://docs.fortinet.com/document/forticlient/6.2.1/xml-reference-guide/96295/ike-settings
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply. Unfortunately, this didn't help either. I have set <implied_SPDO> to "1" and <implied_SPDO_timeout> to "60" and then imported the config from that XML file again but the error persists. Also, I don't use any MFT or OTP with the IPSec VPN. The config just uses a pre-shared key, username and password. It works perfectly fine in my VM, but keeps getting stuck at "Status: connecting" when trying it directly on my laptop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The suggestion which i said earlier it is for, you mentioned you are not able to connect to any other service when vpn is connecting.
For the VPN stucking related issue, please get these logs at the time of issue:
diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the public ip of VPN from where they are connecting)
diag debug application ike -1
diag debug enable
Then try connecting to vpn it will generate some logs, please disable the debug by executing this command "diag debug disable"
Please share logs with us for further checking
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are those commands I need to run on my client (where the FortiClient is installed) or on the FortiGate firewall?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the firewall itself.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,504 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.