FortiClient versions >6.0.0 fail IPSec connections

JTOLvF2 · ‎09-17-2018

Tried with both versions 6.0.1 and 6.0.2. Both fail with IPSec VPN connections. Only 6.0.0 works.

Grabbing logs from the receiving fortigate always returns:

ike 0:FC-IPSec:276457: parse error ike 0:FC-IPSec:276457: probable pre-shared secret mismatch

Even after changing the PSK at the FG and the FCT it still shows this error on a debug reverting to 6.0.0 fixes the issue.

Ashik_Sheik · ‎09-17-2018

Hi

Just share the both the conf will helpful for us to support u .may b conf issue.Did you enabled Mode_cfg on both Gateway and Client .Also match the P1 and P2 proposals.

Sheik Mahammad Ashik

JTOLvF2 · ‎09-18-2018

FG SRA IPSec conf:

config vpn ipsec phase1-interface edit "FC-IPSec" set type dynamic set interface "wan1" set peertype any set mode-cfg enable set ipv4-dns-server1 xxx set ipv4-dns-server2 xxx set proposal aes128-sha256 aes256-sha256 set npu-offload disable set xauthtype auto set authusrgrp "IT-VPN" set idle-timeout enable set idle-timeoutinterval 10 set ipv4-start-ip 10.133.7.100 set ipv4-end-ip 10.133.7.150 set ipv4-split-include "FC-IPSec_split" set psksecret xxx next end

config vpn ipsec phase2-interface edit "FC-IPSec" set phase1name "FC-IPSec" set proposal aes128-sha256 aes256-sha256 set pfs enable set dhgrp 14 set replay enable set keepalive disable set add-route phase1 set auto-discovery-sender phase1 set auto-discovery-forwarder phase1 set keylife-type seconds set single-source disable set route-overlap use-new set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type subnet set dst-port 0 set keylifeseconds 43200 set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0 next end

The VPN settings are actually pushed down by EMS onto the clients but for testing of the new clients I manually install the latest versions before I will have users upgrade.

FCT VPN settings:

These are identical between all versions 6.0.0 and above as I said they are pushed out by an EMS profile. But 6.0.1 and 6.0.2 will give errors of probable preshared key mismtach. After reversion to 6.0.0 the PSK mismatch goes away.

Ashik_Sheik · ‎09-18-2018

Hi,

IPSEC configuration looks fine and the image is missing for please upload forticlient conf.

Sheik Mahammad Ashik

JTOLvF2 · ‎09-19-2018

EMS doesn't allow me to pull the config and its a pain to change and push the profile. Here's a screen capture.

Ashik_Sheik · ‎09-19-2018

Hi

Config looks fine.I hope FGT device mode is main mode since client mode set to main .

Sheik Mahammad Ashik

JTOLvF2 · ‎09-19-2018

Yes the FGT (200E 6.0.2)is in main mode as well. The IPSec connection works fine on FCT 6.0.0. If I upgrade to 6.0.1 or 6.0.2 the IPSec connection will continually fail stating probable PSK mismatch (these vpn settings are pushed by EMS so no risk of fat fingering). The connection will only work after downgrading back to 6.0.0.

Ashik_Sheik · ‎09-19-2018

I think there is no issue in the vpn , i am suspecting some Bug in the software or EMS software compatibility with New FCT version .So I suggest your to open a TAC case .

Sheik Mahammad Ashik

JTOLvF2 · ‎09-19-2018

Opened up a TAC case. It was discovered that using more than 1 DH group on the phase 1 proposal was causing the issue (at least in the case of DH group 5 and 14). Removing DH group 14 allowed the FCT VPN connection to succeed.

FortiClient versions >6.0.0 fail IPSec connections

Nominate a Forum Post for Knowledge Article Creation