- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: L2TP/IPSec Tunnel Config Lost After Upgrade to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L2TP/IPSec Tunnel Config Lost After Upgrade to 5.6
I followed the recommended upgrade path to get from 5.2.4 to 5.6.4 (5.2.6 => 5.2.9 => 5.4.4 => 5.6.2 => 5.6.4). I took backups of the config at each step in case something went wrong.
I had configuration that allowed one particular user to connect via the native Android L2TP/IPSec PSK configuration and they alerted me the day after the software upgrades that this was no longer working. Upon investigation, I discovered that the IPSec part of this L2TP configuration (phase1 & phase2 configuration and associated ipsec firewall policy) was lost in the upgrade from 5.4.4 to 5.6.2. I attempted to add this configuration back in but some of the commands no longer work. I suspect this is why it was lost in the upgrade. I've configured it up to the best of my knowledge, but I'm getting a phase 1 error in the logs:
ActionnegotiateStatusnegotiate_errorReasonprobable preshared key mismatch
I've reset the PSK a few times and still getting this error, so I gather it's something else. Not seeing anything when I debug IKE, and not much that appears meaningful when I debug L2TP.
This was my relevant config prior to the upgrade:
config vpn l2tp set eip 192.168.70.200 set sip 192.168.70.100 set status enable set usrgrp "LocalVPNusers" end
config vpn ipsec phase1 edit "L2TP" set type dynamic set interface "wan1" set peertype dialup set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 14 5 2 set usrgrp "LocalVPNusers"
set psksecret ENC OE75HAKFV.....
next end config vpn ipsec phase2 edit "L2TP_P2" set phase1name "L2TP" set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set pfs disable set encapsulation transport-mode set keylifeseconds 28800 next end
config firewall policy
edit 22 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "L2TP" next edit 18 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action accept set schedule "always" set service "ALL" next
edit 20 set srcintf "wan1" set dstintf "Voice" set srcaddr "Dialup_range" set dstaddr "Voice_LAN" set action accept set schedule "always" set service "ALL" next
This is what it looks like now after the upgrade and reconfiguration:
config vpn l2tp set eip 192.168.70.200 set sip 192.168.70.100 set status enable set usrgrp "LocalVPNusers" end
config vpn ipsec phase1 edit "L2TP" set type dynamic set interface "wan1" set peertype any set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 14 5 2 set psksecret ENC X2Kvbf4sUCO+...
next end config vpn ipsec phase2 edit "L2TP_P2" set phase1name "L2TP" set proposal 3des-sha1 aes128-sha1 aes192-sha1 aes256-sha1 set pfs disable set encapsulation transport-mode set keylifeseconds 28800 next end config firewall policy edit 22 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "L2TP" next edit 18 set srcintf "Voice" set dstintf "wan1" set srcaddr "Voice_LAN" set dstaddr "Dialup_range" set action accept set schedule "always" set service "ALL" next edit 20 set srcintf "wan1" set dstintf "Voice" set srcaddr "Dialup_range" set dstaddr "Voice_LAN" set action accept set schedule "always" set service "ALL" next
The main thing I notice here is that in the original configuration, the usrgrp was associated with the phase 1 configuration but this command is not supported in 5.6. I can't see how the L2TP config and user group is bound to the IPSec configuration, but I've based this config on this example - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD35361&sliceId=1...
I'm somewhat lost at this point. Any help is appreciated.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out I should have believed the log message. Problem was the PSK. PEBKAC issue.
Related Posts
- Cisco switch and FortiAuthenticator RADIUS port... 174 Views
- Unable to access Web GUI after... 332 Views
- ADOM from 7.0 to 7.2: errno=-2... 223 Views
- Can't login to Fortigate GUI... 460 Views
- Firewall does not send syslog 733 Views
Labels
-
FortiGate
6,679 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.