Fortinet Community

Report Inappropriate Content · ‎06-30-2011

Hi all, I' m having a lot of trouble getting a dialup Forticlient talking to ipsec to a Fortigate. My configuration is as follows:

 Phase 1:
 
 Name:                   DialupVPN
 Remote Gateway:         Dialup User
 Local Interface:        zzz_ext
 Mode:                   Main
 Authentication Method:  RSA Signature
 Certificate Name:       gw.zzz
 
 Peer Options:           Accept any peer ID
 
 Enable IPSec Int mode:  Disable
 P1 Proposal:            1 Enc 3DES Auth Sha
                         2 Enc 3DES Auth MD5
 DH Group:               5
 Keylife:                28800
 Local ID:               C = AU ... blah blah blah
 
 XAuth:                  Disable
 NAT Traversal:          Enable
 Keepalive:              10
 Dead Peer Detection:    Enable
 
 Phase 2:
 
 Name:                   DialupVPNP2
 Phase 1:                DialupVPN
 
 P2 Proposal:            1 Enc 3DES Auth Sha
                         2 Enc 3DES Auth MD5
 
 Enable replay det:      Disable
 Enable PFS:             Enable
 DH Group:               5
 Keylife:                1800s
 Autokey keepalive:      Disable
 DHCP-IPSec:             Disable
 
 Quickmode selector all defaults (0.0.0.0, 0, 0.0.0.0, 0, 0)
 
 Firewall Policy:
 
 Source Interface:       zzz_int
 Source Address:         dc_lan (subnet of the firewall' s internal network)
 Destination Interface:  zzz_ext
 Destinatation Addr:     all (0.0.0.0/0)
 Schedule:               Always
 Service:                ANY
 Action:                 IPSEC
 VPN Tunnel:             DialupVPN
 Allow inbound:          Enable
 Allow outbound:         Enable
 Inbound NAT:            Disable
 Outbound NAT:           Disable
 
 Protection Profile:     Disable
 Log Allowed Traffic:    Disable
 Traffic Shaping:        Disable
 
 
 Forticlient:
 Connection Name:   zzz
 VPN Type:              Manual IPSec
 Remote Gateway:   (external ip addr of the fortigate)
 Remote Network:    (network addr & subnet of the fortigate' s internal network)
 Authentication Method:  X509 Cert

Now, it was connecting for a while, and I could see this from the VPN -> IPSec -> Monitor page in the configuration, however it still wasn' t allowing any traffic into the network behind the firewall, so I tried enabling " Inbound NAT" and " NAT Traversal" (since my dialup client is on a network that is NAT' d) - at that point, it will no longer connect, even if I disable those options again. When I try to make the Forticlient connect, while running tcpdump on the network, I can see traffic going both ways between the client and the fortigate, first on port 500, and then later on 4500, but after about 30s or so, I get a popup message saying " VPN is having trouble connecting with the remote gateway, retrying now" . I' ve put the ipsec firewall policy above all the other policies. All of the certificates are set up fine, I don' t see that being part of the problem. Does anyone have any idea what I' m doing wrong? Thanks in advance for any help...

Report Inappropriate Content · ‎07-03-2011

Ok, it seems that it was actually working - when I tried connecting to this from a Linux box, it worked perfectly, first go. I suspect the issue I was having might be related to my Windows instance being run in a vmware server vm. I' ve had issues with vmware' s bridging code in the past, it might be that it can' t handle ipsec properly. When I tried Forticlient on a real Windows box, the ipsec link worked fine. Still having some issues, but I' ll bring them up in the Forticlient forum...

gunthnp · ‎07-08-2011

some system have can not do dailup vpn in main mode they need aggressive mode

Fortinet Community

Problems getting dialup ipsec working