Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AmorFati7734
New Contributor

Created on ‎04-28-2011 08:14 AM

I give up...IPSEC VPN

Hello, I' ve tried my hardest to get this up and running but I' m not sure what I' m doing wrong so now I' ve come for help. Recently upgraded from Juniper NS5GT in our main office to a FortiGate 80C. Have a really small remote office with 2 users that were able to connect to the NS5GT device using a DLINK DIR-330 but now after moving to the fortigate i can' t get the DIR-330 to connect to a vpn tunnel. Info: Remote Office WAN IP: Dynamic Internal LAN: 192.168.8.0/24 Router: DLINK DIR-330 Main Office WAN IP: Static (1.1.1.1) Internal LAN: 192.168.1.0/24 Router: Fortigate 80C On the Fortigate i' m running 4.0 MR3 and have created Auto Key (IKE) P1/2 proposals. If you' d like, please check my settings you can see this link for screenshots: http://www.mediafire.com/?j9sz9mkgf0x7j IPSEC_P1 and P2 are from the FortiGate and the DIR files are from the DIR-330. In the Firewall I' ve setup a policy to have source interface/zone by " internal" (192.168.1.0) and source address of Internal.LAN (192.168.1.x address entry) with destination interface/zone of WAN2 and destination address of " REMOTE.SITE" (192.168.8.x) address book entry with a schedule of " always" - service " any" - action " IPSEC" and the VPN Tunnel has been selected as my P1 for this tunnel. Allowing inbound and outbound. And this policy is on top in group view. Here' s a portion of the ipsec debug I have going on that I don' t understand: ike 0:BOStoRIp1:2574:31191: peer proposal is: peer:0:192.168.8.0-192.168.8.255:0, me:0:192.168.1.0-192.168.1.255:0 ike 0:BOStoRIp1:2574:BOStoRIp2:31191: trying ike 0:BOStoRIp1:2574:31191: specified selectors mismatch ike 0:BOStoRIp1:2574:31191: peer: type=7/7, local=0:192.168.1.0-192.168.1.255:0, remote=0:192.168.8.0-192.168.8.255:0 ike 0:BOStoRIp1:2574:31191: mine: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:BOStoRIp1:2574:31191: no matching phase2 found ike 0:BOStoRIp1:2574:31191: failed to get responder proposal ike 0:BOStoRIp1:2574: error processing quick-mode message from 108.34.154.31 as responder ike 0:BOStoRIp1:BOStoRIp2: IPsec SA connect 3 1.1.1.1->x.x.x.x(DHCP):500 **this line shows actual IP addresses correctly** ike 0:BOStoRIp1: using existing connection, dpd_fail=0 ike 0:BOStoRIp1:BOStoRIp2: config found ike 0:BOStoRIp1:2573:BOStoRIp2:31188: quick-mode negotiation failed due to retry timeout Thank you in advance for any help you may provide. -Amor
4942
0 Kudos
10 REPLIES 10
AmorFati7734
New Contributor

Created on ‎05-05-2011 10:49 AM

Alright, I had some time today to set at this for a minute and actually got it to work. First, I removed the VPN entirely from the DLINK DIR-330 and let it reboot. I then removed the connection from the fortigate and run the command suggested by ede_pfau " diag vpn tun flush" . After, I went ahead and setup the connection again on the VPN and then went to the DLINK next. It' s now up and running. I guess I just needed to step away for a moment to take a look at it better. Thanks again everyone for your help! -Amor
324
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.