Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
cannot use named address for only one selector object set operator error, 5 discard the setting Command fail. Return code 5I assume it means i have to set the dst-name also. would that be the VIP subnet i created for the forticlients? Thanks
Feb 26 13:31:49: Initiator: sent x.x.x.x main mode message #1 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #2 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #3 (OK) Feb 26 13:31:50: Initiator: parsed x.x.x.x main mode message #3 (DONE) Feb 26 13:31:50: Initiator: sent x.x.x.x quick mode message #1 (OK)and
program=ipsec msg=Failed to add vpn gateway x.x.x.x to trusted zone loc_ip=75.246.65.108 loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=manual status=negotiate_error msg=" No response from the peer, retransmit (st=2).... "i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.
i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.There' s no support for dhcp over ipsec under fortiOS 3.0 for route/interfase based VPNs You' ve to run fortiOS 4.0 to do that; Could be that an explanation?
regards
/ Abel
edit " LOV_IPSEC_FC_P1" set type dynamic set interface " port1" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 set localid ' ' set dpd enable set nattraversal enable set dhgrp 5 set proposal 3des-sha1 aes128-sha1 set keylife 28800 set authmethod psk set peertype any set xauthtype disable set mode main set mode-cfg disable set default-gw 0.0.0.0 set default-gw-priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 set psksecret ENC xxxxxxxxx set keepalive 10 set distance 1 set priority 0
edit " LOV_IPSEC_FC_P2" set dst-addr-type subnet set dst-port 0 set keepalive disable set keylife-type seconds set pfs enable set phase1name " LOV_IPSEC_FC_P1" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set route-overlap use-new set single-source disable set src-addr-type subnet set src-port 0 set dhcp-ipsec enable set dhgrp 5 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 nexttwo firewall rules
set srcintf " LOV_CORP" set dstintf " LOV_IPSEC_FC_P1" set srcaddr " LOV_VPN_DESTINATION_NETWORKS" set dstaddr " LOV_IPSEC_CLIENT_SUBNET" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat disable
set srcintf " LOV_IPSEC_FC_P1" set dstintf " LOV_CORP" set srcaddr " all" set dstaddr " all" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set ippool disable set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat enable set fixedport disableand dhcp server
set conflicted-ip-timeout 1800 set default-gateway 0.0.0.0 set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set dns-server3 0.0.0.0 set domain ' ' set enable enable set interface " LOV_IPSEC_FC_P1" set lease-time 86400 set netmask 255.255.255.128 set option1 0 set option2 0 set option3 0 set server-type ipsec set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set end-ip 10.0.98.254 set ip-mode range set ipsec-lease-hold 0 set start-ip 10.0.98.129
regards
/ Abel
ORIGINAL: abelio configure your forticlient for " obtain IP from DHCP server over ipsec" , no manual vip and re-check your firewall policy srcaddr/dstaddr settings; not seem very consistent with each other. Replace it for ' all' and retrywell i have tried all/all in both directions and set the client for dhcp and manual. no combination has worked.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.