Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Anne
New Contributor III

Created on ‎09-02-2013 07:23 PM

IPSec tunnel lAN-to-LAN

Hi there, I have setup a new vpn ipsec tunnel between two fortigates running 5.0.3. SA proposal chosen, matched gateway PROD_VPN_P1 DPD negotiated peer is Fortigate/FortiOS (v5 b208) and then I get the following message in the debugs ike 0:PROD_VPN_P1:2806: remote address a.b.c.d does not match configuration address a.b.y.z, drop Not sure whats happening. Thanks Anne
11110
0 Kudos
1 Solution
dnayak_FTNT
Staff
Staff

Created on ‎06-12-2015 03:52 AM

Hi, 

 

Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

 

Regards,

Deepak

View solution in original post

5246
0 Kudos
7 REPLIES 7
Anne
New Contributor III

Created on ‎09-02-2013 08:33 PM

a.b.c.d is the public ip of the local peer and a.b.y.z the public ip of the remote fortigate
5178
0 Kudos
zeki893
New Contributor II

Created on ‎06-10-2015 06:32 PM

I'm having the same problem. The error doesn't make much sense since the remote address is a.b.y.z. but the error says the remote address a.b.c.d.

5178
0 Kudos
dnayak_FTNT
Staff
Staff

Created on ‎06-12-2015 03:52 AM

Hi, 

 

Its possible that a VIP is configured on either of the firewalls for the external public IP on which the IPsec tunnel is terminated. Please check and remove the VIP if any.

 

Regards,

Deepak

5247
0 Kudos
zeki893
New Contributor II
In response to dnayak_FTNT

Created on ‎06-13-2015 08:44 PM

omg your right, an old VIP that I wasn't using was somehow being used for that VPN.

thanks!

5178
0 Kudos
sohrab
New Contributor
In response to zeki893

Created on ‎06-14-2015 02:49 AM

i am facing an issue in site to site ipsec vpn, tunnel is up , and i can access remote LAN. but remote lan can not access me, although the policies which i made for remote lan, in that policy i allowed access for remote lan, but still other party is unable to access my lan, can any body guide me what can be the issue.

thank you in advance.

5178
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-14-2015 12:33 PM

The diag debug flow is your 1st command and step in diagnostics. I would execute it and review the output. I would suspect the fwpolicy-id ordering or lack or incorrect route

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5178
0 Kudos
kenneth_li
New Contributor
In response to emnoc

Created on ‎05-11-2016 08:39 PM

Hi,

 

I meet the error as well , there is a Cisco router 2911 build site to site VPN to fortigate 500D . It's not work and I enable debug on fortigate , I found the error "remote address 218.207.163.181 does not match configuration address 112.5.54.2, drop" . there is nothing VIP config about 218.207.163.181 . IP 112.5.54.2 is router's public IP.

 

BR

Kenneth

5178
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.