I followed the recommended upgrade path to get from 5.2.4 to 5.6.4 (5.2.6 => 5.2.9 => 5.4.4 => 5.6.2 => 5.6.4). I took backups of the config at each step in case something went wrong.
I had configuration that allowed one particular user to connect via the native Android L2TP/IPSec PSK configuration and they alerted me the day after the software upgrades that this was no longer working. Upon investigation, I discovered that the IPSec part of this L2TP configuration (phase1 & phase2 configuration and associated ipsec firewall policy) was lost in the upgrade from 5.4.4 to 5.6.2. I attempted to add this configuration back in but some of the commands no longer work. I suspect this is why it was lost in the upgrade. I've configured it up to the best of my knowledge, but I'm getting a phase 1 error in the logs:
ActionnegotiateStatusnegotiate_errorReasonprobable preshared key mismatch
I've reset the PSK a few times and still getting this error, so I gather it's something else. Not seeing anything when I debug IKE, and not much that appears meaningful when I debug L2TP.
This was my relevant config prior to the upgrade:
config vpn l2tp set eip 192.168.70.200 set sip 192.168.70.100 set status enable set usrgrp "LocalVPNusers" end
config vpn ipsec phase1 edit "L2TP" set type dynamic set interface "wan1" set peertype dialup set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 14 5 2 set usrgrp "LocalVPNusers"
set psksecret ENC OE75HAKFV.....
next end config vpn ipsec phase2 edit "L2TP_P2" set phase1name "L2TP" set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set pfs disable set encapsulation transport-mode set keylifeseconds 28800 next end
config firewall policy
edit 22 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "L2TP" next edit 18 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action accept set schedule "always" set service "ALL" next
edit 20 set srcintf "wan1" set dstintf "Voice" set srcaddr "Dialup_range" set dstaddr "Voice_LAN" set action accept set schedule "always" set service "ALL" next
This is what it looks like now after the upgrade and reconfiguration:
config vpn l2tp set eip 192.168.70.200 set sip 192.168.70.100 set status enable set usrgrp "LocalVPNusers" end
config vpn ipsec phase1 edit "L2TP" set type dynamic set interface "wan1" set peertype any set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 14 5 2 set psksecret ENC X2Kvbf4sUCO+...
next end config vpn ipsec phase2 edit "L2TP_P2" set phase1name "L2TP" set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set pfs disable set encapsulation transport-mode set keylifeseconds 28800 next end config firewall policy edit 22 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "L2TP" next edit 18 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action accept set schedule "always" set service "ALL" next edit 20 set srcintf "wan1" set dstintf "Voice" set srcaddr "Dialup_range" set dstaddr "Voice_LAN" set action accept set schedule "always" set service "ALL" next
The main thing I notice here is that in the original configuration, the usrgrp was associated with the phase 1 configuration but this command is not supported in 5.6. I can't see how the L2TP config and user group is bound to the IPSec configuration, but I've based this config on this example - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD35361&sliceId=1...
I'm somewhat lost at this point. Any help is appreciated.
Turns out I should have believed the log message. Problem was the PSK. PEBKAC issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.