Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fjordmonkey
New Contributor

IPSec VPN for iOS-issue

Greetings!

 

I've recently come across a strange issue with two different Fortigate-boxes, both running 5.2.2. On both of these, I am unable to connect the built-in client on iOS to the iOS Wizard-created IPSec VPN's. On a third box, also running 5.2.2, there is no issue at all even though all three boxes has their iOS-VPNs set up through the wizard and thus exactly the same way (Even checked and followed the tech-article and video for setting this up, as I'm a bit of a noob).

 

The only major difference is that the two Fortigates that will not accept connections to the iOS-tunnel already has IPSec VPN's on them. One box has a Site-to-Site tunnel on it, the other has a Forticlient-dialup tunnel. Both also has SSL-VPN's for FortiClient.

 

Tried to google this as much as possible but has been unable to find a solution or even someone that has the same type of issue. Thus I turn to you :)

 

Anyone able to shed some light on the issue or point me in the correct direction?

Regards

Marius Sparby, aka Fjordmonkey

Fortigate-noob extraordinaire

Regards Marius Sparby, aka Fjordmonkey Fortigate-noob extraordinaire
2 Solutions
jtfinley
Contributor

Well, I can testify @Fjordmonkey is correct in his/her findings.  I have (2) Fortigate 90D.  One was upgraded to 5.2.3, the other  format flash, tftp 5.2.3.  The upgraded IOS VPN will not work, the flash from scratch does.  Anyone else see why this is an issue?

View solution in original post

jtfinley
Contributor

@Fjordmonkey - well, determined to find the answer to this issue, working with TAC - now resolved.

 

We enabled NAT-Traversal and it worked.

 

(SWEAR - I did this, but tried multiple combinations and may of ticked it off while testing.  It depends on your ISP if they're using NAT in their routing is what Fortinet TAC stated.)  So if in doubt, turn on Nat-Traversal

 

The IPSEC Dial-up user option removed the need for a static route to be inserted.

View solution in original post

13 REPLIES 13
jtfinley
Contributor

Ok, so I moved a little forward.  Was able to connect however, zero traffic passes (traffic count increments, but no response) and I'm assuming it's due to no route.  

 

Converted the IOS_VPN to CUSTOM

Under Phase I

[ul]
  • Disabled NAT Traversal
  • Disabled DPD
  • Set IKE Mode to Aggressive[/ul]

     

    The problem now, I cannot create a static route as the IOS_VPN interface is not listed even though it's a set as Interface Mode.  Added a couple PBR and the IOS_VPN interface is available there, but no traffic even though the policy shows count increments.

  • jtfinley
    Contributor

    Well, I can testify @Fjordmonkey is correct in his/her findings.  I have (2) Fortigate 90D.  One was upgraded to 5.2.3, the other  format flash, tftp 5.2.3.  The upgraded IOS VPN will not work, the flash from scratch does.  Anyone else see why this is an issue?

    Fjordmonkey

    jtfinley wrote:

    Well, I can testify @Fjordmonkey is correct in his/her findings.  I have (2) Fortigate 90D.  One was upgraded to 5.2.3, the other  format flash, tftp 5.2.3.  The upgraded IOS VPN will not work, the flash from scratch does.  Anyone else see why this is an issue?

    @jtfinley: Glad to see that others have the same weird issue, even though it's seriously annoying.

     

    I'll issue a techbrief in our internal systems that for the time being, NO upgrades to 5.2.3 is to be done without a complete flash from scratch.

     

    Not to find out why SIP-traffic over a VPN-link disconnects after 32 seconds, heh...

    Regards

    Marius Sparby, aka Fjordmonkey

    Fortigate-noob extraordinaire

    Regards Marius Sparby, aka Fjordmonkey Fortigate-noob extraordinaire
    jtfinley
    Contributor

    @Fjordmonkey - well, determined to find the answer to this issue, working with TAC - now resolved.

     

    We enabled NAT-Traversal and it worked.

     

    (SWEAR - I did this, but tried multiple combinations and may of ticked it off while testing.  It depends on your ISP if they're using NAT in their routing is what Fortinet TAC stated.)  So if in doubt, turn on Nat-Traversal

     

    The IPSEC Dial-up user option removed the need for a static route to be inserted.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors