Hi Team,
I have IPsec IKE V1 remote access and I need to change it to V2.
After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:
No response from the peer, phase1 retransmit reaches maximum count
Note that we uses Forti authenticator with FortiGate.
My Config:
set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip
set ipv4-end-ip
set ipv4-netmask
set dns-mode auto
set psksecret
What is the problem ?
Thanks,
Hi @alaaelrayes ,
VPN configuration requires "mutual understanding" on both side.
Each site must match to each other.
From my understanding, the changes from V1 to V2 is only happend on this Fortigate.
This error: "No response from the peer, phase1 retransmit reaches maximum count" may indicate the peer is still using V1.
May i know, did you change on the peer side too?
VPN client config on that connection is V2 also as below
Hi,
Encryption does not match. FortiClient has aes128-sha1 and aes256-sha1, but FortiGate accepts aes128-sha256 at least.
The same issue
Hi,
Then run ike debug. That will show you why it is failing:
diag debug console time en
diag debug app ike -1
diag debug en
To disable debug:
diag debug disable
diag debug reset
I added the below to configs:
set eap enable
set eap-identity send-request
And the debug error as the below
2023-05-24 12:05:02.099273 ike 0:ForiVPN-04: connection expiring due to EAP failure
2023-05-24 12:05:02.099280 ike 0:ForiVPN-04: deleting
2023-05-24 12:05:02.099312 ike 0:ForiVPN-04: deleted
and the below error when disabling eap:
2023-05-24 12:21:18.333661 ike 0:ForiVPN-04:5044: peer identifier IPV4_ADDR 10.10.23.153
2023-05-24 12:21:18.333666 ike 0:ForiVPN-04:5044: re-validate gw ID
2023-05-24 12:21:18.333675 ike 0:ForiVPN-04:5044: gw validation failed
2023-05-24 12:21:18.333682 ike 0:ForiVPN-04:5044: schedule delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333689 ike 0:ForiVPN-04:5044: scheduled delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333708 ike 0:ForiVPN-04: connection expiring due to phase1 down
2023-05-24 12:21:18.333714 ike 0:ForiVPN-04: deleting
2023-05-24 12:21:18.333721 ike 0:ForiVPN-04: deleted
This is not much saying. Try to use user-group with local user account, for the start. Try to authenticate with it. If tunnel will be working, then start focusing on authentication part between FortiGate and radius/ldap.
I made changes to fortiautheticator and fortigate then the connection was established and I received to enter fortitoken but after entering the token it show a VPN connection failed.
The error code from forticlient is :
No response from the peer, phase1 retransmit reaches maximum count
Fortiautheticator log is success:
Authenticator Radius changes:
Authenticator Radius debug:
Hi @alaaelrayes ,
If you have Fortiauthenticator, it may related to another issue. Can you try without 2FA and try it again?
If only 2FA is not working, i would suggest to contact Fortinet support as this need in-depth troubleshooting.
Here the reference: https://www.fortinet.com/support/contact.html
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.