Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: IPsec Dial-Up VPN won't connect after FW updat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec Dial-Up VPN won't connect after FW update
I have a FGT40F (behind NAT) at a remote office and a FGT61F at my home office with an IPsec tunnel between them. Both were on 7.4.3 and all good. I updated the 40F to 7.4.4 and now the IPsec VPN will not connect. I rebooted both ends and tried to enter a new key and still no luck.
I then rolled the 40F back to 7.4.3 and loaded the config back onto it and it still won't connect. I've read about a new FW version changing something that affects VPN but I have not been able to tie that to my situation.
Thanks for any help.
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rfs3pa,
Could you have a look at this article to see if you are missing any configuration?
Technical Support Engineer,
Anthony.
Anthony.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rfs3pa
Have you tried to run some debug commands:
diagnose vpn ike log-filter dst-addr4 <destination-IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
diagnose vpn ike gateway list name <tunnel-name>
IP Network Engineer
IP Network Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran a packet capture from the remote office unit (the one behind NAT), and I see traffic flowing both directions on port 500 between it and the home office. I ran diagnose debug application ike -1 on both Fortis.
On the home office output there is no mention at all of the tunnel to the remote office.
On the remote office I am seeing this:
ike V=root:0:HomeOffice:659: initiator: main mode get 1st response...
ike V=root:0:HomeOffice:659: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike V=root:0:HomeOffice:659: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike V=root:0:HomeOffice:659: DPD negotiated
ike V=root:0:HomeOffice:659: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike V=root:0:HomeOffice:659: peer is FortiGate/FortiOS (v0 b0)
ike V=root:0:HomeOffice:659: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike V=root:0:HomeOffice:659: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike V=root:0:HomeOffice:659: selected NAT-T version: RFC 3947
ike V=root:0:HomeOffice:659: negotiation result
ike V=root:0:HomeOffice:659: proposal id = 1:
ike V=root:0:HomeOffice:659: protocol id = ISAKMP:
ike V=root:0:HomeOffice:659: trans_id = KEY_IKE.
ike V=root:0:HomeOffice:659: encapsulation = IKE/none
ike V=root:0:HomeOffice:659: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike V=root:0:HomeOffice:659: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike V=root:0:HomeOffice:659: type=AUTH_METHOD, val=PRESHARED_KEY.
ike V=root:0:HomeOffice:659: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:HomeOffice:659: ISAKMP SA lifetime=86400
ike 0:HomeOffice:659: out 09C0BDE7F582406B5B564FC5181341D804100200000000000000017C0A000104671E8AB3278439569BF0B6E5ABBB5558DB5F95FA2D5BE059B1E76797D056F303A737B45EA975A565E7663DC446DC29CB620CB3F933F9EF7467084521684F970951D2D6B941D1FD1F3B10617CF011E8493868EA622E53E499A2072E3128F981C78873A13786DAE8ABE211859DBEFCA32C82D7D35D23A46D05A2E1C9033E8BB263ADAA463726EB99E617CB8BBB698071A1FAB0820F0F57DC8B4A5C3883F361ECAC21ED81549FEF47036EFC8CD071982EB1E87E1BA15A6EBEE97AB9E9B745C97A3AAC4525786343C233E49BC1B1064A57041E0F224A97671D457C9DF35DDA73C428E1ECB7E4EBCB198988B6BD0B31F8EDB2FCE48692790EC2984389669063A0E8FE14000014F820E4AD5705EE7FCB8E10ED484D36FD14000024647608ABEF9A0B8038453E50A938467A534D578598444E12DCE0E3F2348C33A6000000248EF72A3FEBE5CE409626F68D8FA21A6C0C3E85FA147F47C9ADF0CA8C3BBF6079
ike V=root:0:HomeOffice:659: sent IKE msg (ident_i2send): 192.168.21.64:500->24.238.61.57:500, len=380, vrf=0, id=09c0bde7f582406b/5b564fc5181341d8
ike V=root:0: comes 24.238.61.57:500->192.168.21.64:500,ifindex=5,vrf=0,len=380....
ike V=root:0: IKEv1 exchange=Identity Protection id=09c0bde7f582406b/5b564fc5181341d8 len=380 vrf=0
ike 0: in 09C0BDE7F582406B5B564FC5181341D804100200000000000000017C0A000104D15E9B1849A4BF274821A2E2554E21E20EB30941476E9F6192B69294A3465EC1C574579F6A892C7C6A9A83B77F1D1879EE92FAF33516815D284BDD8968D4D9FC4A42A2617C79AFD2512BAE22FB2EDEBB1E0C49CECFC4D1700F9BB2F2D5972F38983F46878D244923A59774BB6F50A8B9885FDCC1FAF87254EA1E943188F9BA1E648E3D35193E3C1606880C1F0DE415C6A709FBFCA1A094ADBAA0AE634B2A29CB125FAC84270A2BE77BB334C904A50835F6EB608ABEB7EA2D68639CE70511A1C9523AED428C242EA7D991AA2DB7984A1B50A680FFAA1484D89D8C69F732A94E1C1E4112D3F166462194202DD1E717DB3F354F88D7C25B787EC3918261922A261D14000014245469C096691BA7A9B6CD3C8A1025F5140000247A186C51DD4E158A5CFB026554648B54D09F70AF7C7DB5D8AC1AE04F574863FF00000024647608ABEF9A0B8038453E50A938467A534D578598444E12DCE0E3F2348C33A6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rfs3pa,
It looks like it is matching phase1 proposals but it is not getting past that. Could you take a screenshot of you VPN configuration? It may be related to the xAuth and phase2 selectors being used.
Technical Support Engineer,
Anthony.
Anthony.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the screen from the Home Office Forti. Let me know if you want to see any other sections.
d
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to share remote office config as well.
Thanks
IP Network Engineer
IP Network Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the remote office
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rfs3pa,
Could you have a look at this article to see if you are missing any configuration?
Technical Support Engineer,
Anthony.
Anthony.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for that! I had two DH groups and guess when I upgraded FW I really should have only had one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 7.4.4 introduced some changes related to VPN, including stricter handling of NAT-T (NAT Traversal) and new IPsec settings.
These might be causing issues with your tunnel, especially since one of your FortiGates is behind NAT. Make sure that NAT-T is enabled on both ends of the tunnel.
When you rolled back to 7.4.3, you may have restored the config, but certain settings from 7.4.4 could have affected the tunnel. Double-check the following:
Ensure that the encryption algorithms, Diffie-Hellman groups, and key lifetimes match on both sides.
Verify that the local and remote subnets are still correctly defined and matching on both firewalls.
Ensure both FortiGates are using the same IKE version (either IKEv1 or IKEv2).
Run debugging commands to check what’s failing in the IPsec negotiation:
On the 40F, run:
diagnose vpn ike log-filter addr <remote IP>
diagnose debug application ike -1
diagnose debug enable
Check the output for any error messages or clues, especially around the IKE negotiation process.
Even after rolling back, there might be some residual settings from 7.4.4 causing issues.
You could try to manually re-enter the IPsec settings (instead of restoring the config) and make sure everything is set correctly for 7.4.3 compatibility.
If you're still on 7.4.3 on the 61F, consider updating both FortiGates to the same firmware version (7.4.4 or 7.4.5).
This can sometimes resolve compatibility issues that appear when different versions are used.
Since the 40F is behind NAT, ensure that the NAT policy is configured correctly.
In some cases, FortiOS changes to NAT handling can break VPN connections, so confirming that NAT-T and the relevant NAT policies are correct is important.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,607 -
FortiClient
1,735 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
468 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
201 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.