- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Passing FortiClient IPSec through a Fortigate ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passing FortiClient IPSec through a Fortigate fails
Hello All,
I have been given a laptop by one of our clients which connects to the client's company LAN through an IPSec VPN. That IPSec VPN runs on a Fortinet solution (FortiClient on the laptop and a Fortigate device on the client's premises).
However, I have trouble getting a VPN connection through our own Fortigate which sits between our own LAN and the internet. This is a Fortigate 50E running 6.2.10. The laptop is connected to a completely open guest network with all services including IKE and NAT-T passed through and no filtering, scanning or any security services provisioned.
When trying to connect to the client's VPN, the connection fails at the phase 1 handshake with the following error:
"No response from the peer, phase1 retransmit reaches maximum count"
However, the client's VPN gateway is reachable via ping, and I can establish a connection when using a WiFi hotspot from my cell phone.
Other IPSec VPNs we use for other clients connect just fine through the same network and Fortigate, so I have no idea what's causing this. The firewall logs also show no blocked traffic.
Any idea what might be causing this? Could this be because of too aggressive settings in the VPN profile?
Labels:
- Labels:
-
FortiClient
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. That company's IPSec setting may miss "nat traversal" configuration? Then you can not be behind a NAT:ed firewall. More unlikely you have some config in your fw that blocks IPSec. Check with packet capture on outside interface if you get response.
cogus
cogus
Created on 03-24-2022 09:58 AM Edited on 03-24-2022 10:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Thanks for the reply.
NAT-T should be configured as the client's own workers use the same VPN and for most of them it works even through cheap home broadband routers which mostly are behind NAT.
I did a package capture on the WAN side while trying to establish a VPN connection, and it seems the IPSec traffic goes through just fine:
No Time Source IP Dest IP Protocol Length SrcPort DestPort
434 2022-03-24 15:51:26.592634 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 550 500 500
435 2022-03-24 15:51:26.618459 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA ISAKMP 491 500 500
437 2022-03-24 15:51:26.648424 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
438 2022-03-24 15:51:26.648435 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
439 2022-03-24 15:51:26.648441 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
443 2022-03-24 15:51:26.690696 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
828 2022-03-24 15:51:29.161519 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
829 2022-03-24 15:51:29.161528 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
830 2022-03-24 15:51:29.161533 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
831 2022-03-24 15:51:29.191518 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
891 2022-03-24 15:51:29.876761 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA ESP 186 4500 4500
1152 2022-03-24 15:51:32.168041 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1153 2022-03-24 15:51:32.168050 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1154 2022-03-24 15:51:32.168055 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
1155 2022-03-24 15:51:32.196343 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
1264 2022-03-24 15:51:33.972541 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA ESP 186 4500 4500
1342 2022-03-24 15:51:35.184579 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1343 2022-03-24 15:51:35.184587 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1344 2022-03-24 15:51:35.184593 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
1345 2022-03-24 15:51:35.212873 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
1964 2022-03-24 15:51:38.186001 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1965 2022-03-24 15:51:38.186010 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
1966 2022-03-24 15:51:38.186017 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
1968 2022-03-24 15:51:38.214209 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
2187 2022-03-24 15:51:41.204099 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
2188 2022-03-24 15:51:41.204108 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB IPv4 1514
2189 2022-03-24 15:51:41.204114 AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB ISAKMP 230 4500 4500
2190 2022-03-24 15:51:41.232770 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA IPv4 886
3601 2022-03-24 15:51:49.653294 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA ESP 138 4500 4500
3720 2022-03-24 15:51:50.080558 BBB.BBB.BBB.BBB AAA.AAA.AAA.AAA ESP 378 4500 4500
(AAA.AAA.AAA.AAA is the WAN IP of my Fortigate, BBB.BBB.BBB.BBB is the IP of the client's Fortigate the VPN should connects to)
From what I can see (not being a network engineer) there is nothing in my Fortigate to stop the VPN traffic. So I have no idea what could cause the phase1 handshake to fail (time out).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm he wrote that it worked using a hotspot. Hotspot usually does NAT too so I guess there is NAT-T .
If there is no repsonse from peer it would be interesting which side did not respond.
Maybe there is no answer from the FortiGate due to some reason.
Then looking at the ike debug log on the FGT might give some clue.
That e.g. might happen when psk auth fails or if the vpn dos not have any policy referencing to it on the fortigate.
On Client side you see the "no response from peer" as there is no more response from the peer then.
Anyways FortiClient is always good for trouble ;)
Do you use the VPN only one or the "full" FortiClient?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Created on 03-25-2022 03:25 AM Edited on 03-25-2022 03:25 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The strange thing is that the VPN end point (the client's Fortigate) is responding (I can ping it reliably, and the data capture above shows that it's responding to the VPN connection request from the client laptop). It's just that something in the phase1 handshake appears to go wrong.
The FortiClient on the laptop seems to be the full version ("About" says FortiClient 6.4.7.1713, and it says it's connected to EMS).
Our client's IT department is more reactive than pro-active and says because it works for others that the problem must be on my end, and that's it. They might be prepared to adjust some settings if I tell them which ones.
My hope was that someone had an idea what could be causing this, and maybe there is a setting that could cause a phase1 handshake fail (considering that the profile itself seems to be working).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well ping uses a different protocol (icmp echo) then vpn (ipsec).
Could you request the IT-Dept to look into the ike debug log on the endpoint to see if that reports any error?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Dial-up IPsec tunnels with same source... 4 Views
- Fortiproxy BSOD Netio.sys 9 Views
- FortiToken for FortiClient users CONCERN 21 Views
- Applying Fortinet device in my company. 45 Views
- Policy based routing to IPsec tunnel 50 Views
Labels
-
FortiGate
6,420 -
FortiClient
1,280 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
408 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
62 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.