Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alaaelrayes
New Contributor III

IPsec IKE v2 Config

Hi Team,

 

I have IPsec IKE V1 remote access and I need to change it to V2.

After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:

No response from the peer, phase1 retransmit reaches maximum count

Note that we uses Forti authenticator with FortiGate.

 

My Config:

 

set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip 
set ipv4-end-ip 
set ipv4-netmask 
set dns-mode auto
set psksecret

 

What is the problem ?

Thanks,

11 REPLIES 11
alaaelrayes
New Contributor III

Could anyone help me ?

 

after entering the token it gives VPN connection failed in forticlient but no error in FAC.

 

May because the client uses EAP-GTC as shown in the above pictures ?

 

Note that the failure from FG debug as below:

 

eap fail.JPG

fnbamd debug:

 

[1862] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val VPN Users 
fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-03 01 00 04
[1449] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' IP(1) is 0
[1608] fnbam_user_auth_group_match-req id: 952356062, server: FortiAuthenticator, local auth: 0, dn match: 0
[280] find_matched_usr_grps-Failed group matching

 

FortiGate FortiClient 

alaaelrayes
New Contributor III

The last update that I configured the tunnel  and I can connect but without internet.

My policies include groups but when I remove those groups and replace them with "All" I'm able to connect.

In my environment I don't need to remove groups from polices.

Is there a solution for this issue?

In the tunnel config there is a command should specify( set authgrp " "), I've added one group but how do I add multiple groups ?

 

policy.JPG

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors