Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
service12
New Contributor

Created on ‎02-12-2025 05:05 AM

Problem with IPSEC DialUp with certificate auth

Hello!

 

I am currently experiencing a problem with dialup ipsec vpn on a fgt-90G.. i use certificate auth and the problem is that sometimes, the windows client connects, but no traffic passes through the tunnel... in logs i have ike retransmits like it shows below.. The thing is.. it sometimes works with no modifications to the configuration.. 

2025-02-12 15:02:16.961772 ike V=root:0:Dialup_0:131: sent IKE msg (retransmit): x.x.x.x:4500->y.y.y.y:64916, len=1728, vrf=0, id=8e28e757f91c9b5b/5efcee79161f925b:00000001, oif=39
2025-02-12 15:02:18.669458 ike V=root:0:Dialup_0: link is idle 39 x.x.x.x->y.y.y.y:64916 dpd=1 seqno=2 rr=0
2025-02-12 15:02:18.669490 ike V=root:0:Dialup_0:131: send IKEv2 DPD probe, seqno 2
2025-02-12 15:02:18.669512 ike V=root:0:Dialup_0:1235: sending NOTIFY msg
2025-02-12 15:02:18.669522 ike V=root:0:Dialup_0:131:1235: send informational
2025-02-12 15:02:18.669540 ike 0:Dialup_0:131: enc 0F0E0D0C0B0A0908070605040302010F
2025-02-12 15:02:18.669598 ike 0:Dialup_0:131: out 8E28E757F91C9B5B5EFCEE79161F925B2E2025000000000000000060000000448629740B4C6AB03CFF42DDC343C1CE8114FF07055878742FA55A78083D6E6C632BD880E875E934C75CBA5694DBBE33FA56E58F05A53F1E96E8A6A3EADDD98FB4
2025-02-12 15:02:18.669638 ike V=root:0:Dialup_0:131: sent IKE msg (INFORMATIONAL): x.x.x.x:4500->y.y.y.y:64916, len=96, vrf=0, id=8e28e757f91c9b5b/5efcee79161f925b, oif=39
2025-02-12 15:02:21.676031 ike 0:Dialup_0:131: out 8E28E757F91C9B5B5EFCEE79161F925B2E2025000000000000000060000000448629740B4C6AB03CFF42DDC343C1CE8114FF07055878742FA55A78083D6E6C632BD880E875E934C75CBA5694DBBE33FA56E58F05A53F1E96E8A6A3EADDD98FB4
2025-02-12 15:02:21.676090 ike V=root:0:Dialup_0:131: sent IKE msg (RETRANSMIT_INFORMATIONAL): x.x.x.x:4500->y.y.y.y:64916, len=96, vrf=0, id=8e28e757f91c9b5b/5efcee79161f925b, oif=39
2025-02-12 15:02:23.673458 ike V=root:0:Dialup_0: link is idle 39 x.x.x.x->y.y.y.y:64916 dpd=1 seqno=2 rr=0
2025-02-12 15:02:23.673489 ike V=root:0:Dialup_0:131: send IKEv2 DPD probe, seqno 2
2025-02-12 15:02:27.677206 ike 0:Dialup_0:131: out 8E28E757F91C9B5B5EFCEE79161F925B2E2025000000000000000060000000448629740B4C6AB03CFF42DDC343C1CE8114FF07055878742FA55A78083D6E6C632BD880E875E934C75CBA5694DBBE33FA56E58F05A53F1E96E8A6A3EADDD98FB4
2025-02-12 15:02:27.677269 ike V=root:0:Dialup_0:131: sent IKE msg (RETRANSMIT_INFORMATIONAL): x.x.x.x:4500->y.y.y.y:64916, len=96, vrf=0, id=8e28e757f91c9b5b/5efcee79161f925b, oif=39
2025-02-12 15:02:28.673462 ike V=root:0:Dialup_0: link is idle 39 x.x.x.x->y.y.y.y:64916 dpd=1 seqno=2 rr=0
2025-02-12 15:02:28.673494 ike V=root:0:Dialup_0:131: send IKEv2 DPD probe, seqno 2
2025-02-12 15:02:33.568223 ike :shrank heap by 159744 bytes
2025-02-12 15:02:33.673494 ike V=root:0:Dialup_0: link fail 39 x.x.x.x->y.y.y.y:64916 dpd=1
2025-02-12 15:02:33.673522 ike V=root:0:Dialup_0: link down 39 x.x.x.x->y.y.y.y:64916
2025-02-12 15:02:33.673631 ike V=root:0:Dialup_0: going to be deleted
2025-02-12 15:02:33.673846 ike V=root:0:Dialup_0: sent tunnel-down message to EMS: (fct-uid=2EA7972F2E794D6B983F6136E95C4E50, intf=Dialup_0, addr=11.11.11.10, vdom=root)
2025-02-12 15:02:33.673866 ike V=root:0:Dialup_0: flushing
2025-02-12 15:02:33.673930 ike V=root:0:Dialup_0: deleting IPsec SA with SPI 8e041b3d
2025-02-12 15:02:33.673955 ike V=root:0:Dialup_0:Dialup: deleted IPsec SA with SPI 8e041b3d, SA count: 0
2025-02-12 15:02:33.673967 ike V=Dialup_0:0:Dialup_0:1234: del route 11.11.11.10/255.255.255.255 tunnel 11.11.11.10 oif Dialup_0(101) metric 15 priority 1
2025-02-12 15:02:33.674180 ike V=root:0:Dialup_0: sending SNMP tunnel DOWN trap for Dialup
2025-02-12 15:02:33.674261 ike V=root:0:Dialup_0:Dialup: delete
2025-02-12 15:02:33.674323 ike V=root:0:Dialup_0: flushed
2025-02-12 15:02:33.674372 ike V=root:0:Dialup_0:131:1236: send informational
2025-02-12 15:02:33.674393 ike 0:Dialup_0:131: enc 00000008010000000706050403020107
2025-02-12 15:02:33.674459 ike 0:Dialup_0:131: out 8E28E757F91C9B5B5EFCEE79161F925B2E20250000000000000000602A0000445A4893371041C760EBE2AA2933D46538E9C3032B6399E536AA5DF15F1E844BB738235E4C1EA734957C0EB6404E3383405407F8C0951EF3E4E3C58F6D3696885B
2025-02-12 15:02:33.674501 ike V=root:0:Dialup_0:131: sent IKE msg (INFORMATIONAL): x.x.x.x:4500->y.y.y.y:64916, len=96, vrf=0, id=8e28e757f91c9b5b/5efcee79161f925b, oif=39
2025-02-12 15:02:33.674530 ike V=root:0:Dialup_0: mode-cfg del 11.11.11.11/255.255.255.0 from 'Dialup_0'/101
2025-02-12 15:02:33.674627 ike V=root:0:Dialup_0: delete dynamic

 

 

Labels:
332
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎02-16-2025 09:34 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
283
Anthony_E
Community Manager
Community Manager

Created on ‎02-18-2025 11:15 PM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
247
Anthony_E
Community Manager
Community Manager

Created on ‎02-19-2025 11:53 PM

Hi,

 

To troubleshoot issues with IPsec dial-up VPN using certificate authentication on FortiGate:

  1. Verify Certificate Configuration:  Ensure that the CA certificate and user certificates are correctly imported into FortiGate. Check that the certificates are valid and not expired. - Confirm that the correct certificates are assigned to the user peer and peer group configurations.
  2. Check Phase 1 and Phase 2 Settings: Verify that the Phase 1 and Phase 2 settings on FortiGate match the settings on the remote peer. Ensure that encryption, authentication, and Diffie-Hellman settings are compatible between both peers.
  3. Confirm NAT Traversal: Check if NAT traversal is required and properly configured on both ends. - Ensure that NAT-T is compatible with any NAT devices between the VPN peers.
  4. Troubleshoot Authentication: Check if the authentication method (certificate) is supported and configured correctly on both ends. Verify that the user peer and peer group configurations on FortiGate are set up properly for certificate authentication.
  5. Monitor Logs:  Review the FortiGate logs for any error messages related to the IPsec VPN connection. Look for authentication failures, certificate validation issues, or any other relevant log entries.
  6. Test Connectivity: Test the IPsec VPN connection from the remote peer to FortiGate to identify any connectivity issues. Use tools like ping or traceroute to troubleshoot network connectivity problems.

 

Hope it will help.

 

Regards,

Anthony-Fortinet Community Team.
223
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.