Hi,
I have a IPSec VPN setup with our FGT 60 device. It works fine for one country and doesn't connect from other. I haven't applied any geo restrictions on the device and wondering what could be the reason for such behavior.
Attached is VPN setup config and interface settings. There no address object setting for the interface.
Note:
1.I am able to ping public IP successfully from both locations.
2.I am using public IP directly as gateway and there is no name resolution involved.
Any suggestions and advice is appreciated!
Thanks,
Mirza
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
looks that way, the clients doesn't receive the reply? you could check that with Wireshark or such.
you could also have a look at SSLVPN based on SSL and not IPsec.
does the VPN traffic reach the firewall at all? that would be my first check.
if it does is it perhaps changed? can you compare working with not working?
Thanks for the suggestion.
I did a debug and following is output. Something seems to be blocked at client side i guess.
ike 0::1066: peer identifier IPV4_ADDR 192.168.1.6 ike 0: IKEv1 Aggressive, comes 41.232.222.137:500->x.x.x.x 5 ike 0:3750eba12e5ca83d/0000000000000000:1066: negotiation result ike 0:3750eba12e5ca83d/0000000000000000:1066: proposal id = 1: ike 0:3750eba12e5ca83d/0000000000000000:1066: protocol id = ISAKMP: ike 0:3750eba12e5ca83d/0000000000000000:1066: trans_id = KEY_IKE. ike 0:3750eba12e5ca83d/0000000000000000:1066: encapsulation = IKE/none ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:3750eba12e5ca83d/0000000000000000:1066: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_GROUP, val=MODP1536. ike 0:3750eba12e5ca83d/0000000000000000:1066: ISAKMP SA lifetime=86400 ike 0:3750eba12e5ca83d/0000000000000000:1066: SA proposal chosen, matched gateway ABC ike 0:ABC: created connection: 0x53a13e8 5 x.x.x.x->41.232.222.137:500. ike 0:ABC: HA L3 state 1/0 ike 0:ABC:1066: DPD negotiated ike 0:ABC:1066: XAUTHv6 negotiated ike 0:ABC:1066: peer supports UNITY ike 0:ABC:1066: enable FortiClient license check ike 0:ABC:1066: enable FortiClient endpoint compliance check, use 169.254.1.1 ike 0:ABC:1066: selected NAT-T version: RFC 3947 ike 0:ABC:1066: cookie 3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: ISAKMP SA 3750eba12e5ca83d/1019f5d2499829a8 key 32:31A2F3B5EA70hshdsg3EDF059232D5 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (agg_r1send): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: negotiation timeout, deleting ike 0:ABC: connection expiring due to phase1 down ike 0:ABC: deleting ike 0:ABC: deleted
looks that way, the clients doesn't receive the reply? you could check that with Wireshark or such.
you could also have a look at SSLVPN based on SSL and not IPsec.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.