Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JTOLvF2
New Contributor II

FortiClient versions >6.0.0 fail IPSec connections

Tried with both versions 6.0.1 and 6.0.2. Both fail with IPSec VPN connections. Only 6.0.0 works.

 

Grabbing logs from the receiving fortigate always returns:

 

ike 0:FC-IPSec:276457: parse error ike 0:FC-IPSec:276457: probable pre-shared secret mismatch

Even after changing the PSK at the FG and the FCT it still shows this error on a debug reverting to 6.0.0 fixes the issue.

 

8 REPLIES 8
Ashik_Sheik
Contributor II

Hi 

 

Just share the both the conf  will helpful for us to support u .may b conf issue.Did you enabled Mode_cfg on both Gateway and Client .Also match the P1 and P2 proposals.

 

Sheik Mahammad Ashik
Sheik Mahammad Ashik
JTOLvF2
New Contributor II

FG SRA IPSec conf:

 

config vpn ipsec phase1-interface     edit "FC-IPSec"         set type dynamic         set interface "wan1"         set peertype any         set mode-cfg enable         set ipv4-dns-server1 xxx         set ipv4-dns-server2 xxx         set proposal aes128-sha256 aes256-sha256         set npu-offload disable         set xauthtype auto         set authusrgrp "IT-VPN"         set idle-timeout enable         set idle-timeoutinterval 10         set ipv4-start-ip 10.133.7.100         set ipv4-end-ip 10.133.7.150         set ipv4-split-include "FC-IPSec_split"         set psksecret xxx     next end

config vpn ipsec phase2-interface     edit "FC-IPSec"         set phase1name "FC-IPSec"         set proposal aes128-sha256 aes256-sha256         set pfs enable         set dhgrp 14         set replay enable         set keepalive disable         set add-route phase1         set auto-discovery-sender phase1         set auto-discovery-forwarder phase1         set keylife-type seconds         set single-source disable         set route-overlap use-new         set encapsulation tunnel-mode         set comments ''         set protocol 0         set src-addr-type subnet         set src-port 0         set dst-addr-type subnet         set dst-port 0         set keylifeseconds 43200         set src-subnet 0.0.0.0 0.0.0.0         set dst-subnet 0.0.0.0 0.0.0.0     next end

 

 

The VPN settings are actually pushed down by EMS onto the clients but for testing of the new clients I manually install the latest versions before I will have users upgrade.

 

FCT VPN settings:

 

 

These are identical between all versions 6.0.0 and above as I said they are pushed out by an EMS profile. But 6.0.1 and 6.0.2 will give errors of probable preshared key mismtach. After reversion to 6.0.0 the PSK mismatch goes away.

Ashik_Sheik

Hi,

 

IPSEC configuration looks fine and the image is missing for please upload forticlient conf.

 

 

Sheik Mahammad Ashik
Sheik Mahammad Ashik
JTOLvF2
New Contributor II

EMS doesn't allow me to pull the config and its a pain to change and push the profile. Here's a screen capture.

 

Ashik_Sheik

Hi

 

Config looks fine.I hope FGT device mode is main mode since client mode set to main .

 

 

Sheik Mahammad Ashik
Sheik Mahammad Ashik
JTOLvF2
New Contributor II

Yes the FGT (200E 6.0.2)is in main mode as well. The IPSec connection works fine on FCT 6.0.0. If I upgrade to 6.0.1 or 6.0.2 the IPSec connection will continually fail stating probable PSK mismatch (these vpn settings are pushed by EMS so no risk of fat fingering). The connection will only work after downgrading back to 6.0.0.

Ashik_Sheik

I think there is no issue in the vpn , i am suspecting some Bug in the software or EMS software compatibility with New FCT version .So I suggest your to open a TAC case .

Sheik Mahammad Ashik
Sheik Mahammad Ashik
JTOLvF2
New Contributor II

Opened up a TAC case. It was discovered that using more than 1 DH group on the phase 1 proposal was causing the issue (at least in the case of DH group 5 and 14). Removing DH group 14 allowed the FCT VPN connection to succeed.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors