Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alaaelrayes
New Contributor III

Created on ‎05-24-2023 12:09 AM

IPsec IKE v2 Config

Hi Team,

 

I have IPsec IKE V1 remote access and I need to change it to V2.

After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:

No response from the peer, phase1 retransmit reaches maximum count

Note that we uses Forti authenticator with FortiGate.

 

My Config:

 

set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip 
set ipv4-end-ip 
set ipv4-netmask 
set dns-mode auto
set psksecret

 

What is the problem ?

Thanks,

Labels:
3457
0 Kudos
11 REPLIES 11
Muhammad_Haiqal
Staff
Staff

Created on ‎05-24-2023 12:14 AM

Hi @alaaelrayes ,

VPN configuration requires "mutual understanding" on both side.
Each site must match to each other.

From my understanding, the changes from V1 to V2 is only happend on this Fortigate.

This error: "No response from the peer, phase1 retransmit reaches maximum count" may indicate the peer is still using V1.


May i know, did you change on the peer side too?

 

haiqal
2793
0 Kudos
alaaelrayes
New Contributor III
In response to Muhammad_Haiqal

Created on ‎05-24-2023 12:18 AM

VPN client config on that connection is V2 also as belowV2.JPG

2792
0 Kudos
akristof
Staff
Staff
In response to alaaelrayes

Created on ‎05-24-2023 12:52 AM

Hi,

Encryption does not match. FortiClient has aes128-sha1 and aes256-sha1, but FortiGate accepts aes128-sha256 at least.

Adrian
2781
0 Kudos
alaaelrayes
New Contributor III
In response to akristof

Created on ‎05-24-2023 01:07 AM

The same issue 

 

V2-edit.JPG

2778
0 Kudos
akristof
Staff
Staff
In response to alaaelrayes

Created on ‎05-24-2023 01:09 AM

Hi,

Then run ike debug. That will show you why it is failing:

diag debug console time en

diag debug app ike -1

diag debug en

 

To disable debug:

diag debug disable

diag debug reset

Adrian
2777
0 Kudos
alaaelrayes
New Contributor III
In response to akristof

Created on ‎05-24-2023 03:30 AM

I added the below to configs:

set eap enable
set eap-identity send-request

And the debug error as the below

2023-05-24 12:05:02.099273 ike 0:ForiVPN-04: connection expiring due to EAP failure
2023-05-24 12:05:02.099280 ike 0:ForiVPN-04: deleting
2023-05-24 12:05:02.099312 ike 0:ForiVPN-04: deleted

 

and the below error when disabling eap:

 

2023-05-24 12:21:18.333661 ike 0:ForiVPN-04:5044: peer identifier IPV4_ADDR 10.10.23.153
2023-05-24 12:21:18.333666 ike 0:ForiVPN-04:5044: re-validate gw ID
2023-05-24 12:21:18.333675 ike 0:ForiVPN-04:5044: gw validation failed
2023-05-24 12:21:18.333682 ike 0:ForiVPN-04:5044: schedule delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333689 ike 0:ForiVPN-04:5044: scheduled delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333708 ike 0:ForiVPN-04: connection expiring due to phase1 down
2023-05-24 12:21:18.333714 ike 0:ForiVPN-04: deleting
2023-05-24 12:21:18.333721 ike 0:ForiVPN-04: deleted

2749
0 Kudos
akristof
Staff
Staff
In response to alaaelrayes

Created on ‎05-24-2023 04:19 AM

This is not much saying. Try to use user-group with local user account, for the start. Try to authenticate with it. If tunnel will be working, then start focusing on authentication part between FortiGate and radius/ldap.

Adrian
2744
0 Kudos
alaaelrayes
New Contributor III

Created on ‎05-29-2023 02:12 AM Edited on ‎05-29-2023 03:51 AM

I made changes to fortiautheticator and fortigate then the connection was established and I received to enter fortitoken but after entering the token it show a VPN connection failed.

The error code from forticlient is :

No response from the peer, phase1 retransmit reaches maximum count

Fortiautheticator log is success:

authenticator.png

Authenticator Radius changes:

radius 1.JPGradius 2.JPG

Authenticator Radius debug:

auth 3.png

2670
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to alaaelrayes

Created on ‎06-06-2023 06:25 PM

Hi @alaaelrayes ,

If you have Fortiauthenticator, it may related to another issue. Can you try without 2FA and try it again?

If only 2FA is not working, i would suggest to contact Fortinet support as this need in-depth troubleshooting.
Here the reference: https://www.fortinet.com/support/contact.html

haiqal
2525
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.