Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Problems getting dialup ipsec working

Hi all, I' m having a lot of trouble getting a dialup Forticlient talking to ipsec to a Fortigate. My configuration is as follows:
 Phase 1:
 Name:                   DialupVPN
 Remote Gateway:         Dialup User
 Local Interface:        zzz_ext
 Mode:                   Main
 Authentication Method:  RSA Signature
 Certificate Name:       gw.zzz
 Peer Options:           Accept any peer ID
 Enable IPSec Int mode:  Disable
 P1 Proposal:            1 Enc 3DES Auth Sha
                         2 Enc 3DES Auth MD5
 DH Group:               5
 Keylife:                28800
 Local ID:               C = AU ... blah blah blah
 XAuth:                  Disable
 NAT Traversal:          Enable
 Keepalive:              10
 Dead Peer Detection:    Enable
 Phase 2:
 Name:                   DialupVPNP2
 Phase 1:                DialupVPN
 P2 Proposal:            1 Enc 3DES Auth Sha
                         2 Enc 3DES Auth MD5
 Enable replay det:      Disable
 Enable PFS:             Enable
 DH Group:               5
 Keylife:                1800s
 Autokey keepalive:      Disable
 DHCP-IPSec:             Disable
 Quickmode selector all defaults (, 0,, 0, 0)
 Firewall Policy:
 Source Interface:       zzz_int
 Source Address:         dc_lan (subnet of the firewall' s internal network)
 Destination Interface:  zzz_ext
 Destinatation Addr:     all (
 Schedule:               Always
 Service:                ANY
 Action:                 IPSEC
 VPN Tunnel:             DialupVPN
 Allow inbound:          Enable
 Allow outbound:         Enable
 Inbound NAT:            Disable
 Outbound NAT:           Disable
 Protection Profile:     Disable
 Log Allowed Traffic:    Disable
 Traffic Shaping:        Disable
 Connection Name:   zzz
 VPN Type:              Manual IPSec
 Remote Gateway:   (external ip addr of the fortigate)
 Remote Network:    (network addr & subnet of the fortigate' s internal network)
 Authentication Method:  X509 Cert
Now, it was connecting for a while, and I could see this from the VPN -> IPSec -> Monitor page in the configuration, however it still wasn' t allowing any traffic into the network behind the firewall, so I tried enabling " Inbound NAT" and " NAT Traversal" (since my dialup client is on a network that is NAT' d) - at that point, it will no longer connect, even if I disable those options again. When I try to make the Forticlient connect, while running tcpdump on the network, I can see traffic going both ways between the client and the fortigate, first on port 500, and then later on 4500, but after about 30s or so, I get a popup message saying " VPN is having trouble connecting with the remote gateway, retrying now" . I' ve put the ipsec firewall policy above all the other policies. All of the certificates are set up fine, I don' t see that being part of the problem. Does anyone have any idea what I' m doing wrong? Thanks in advance for any help...
Not applicable

Ok, it seems that it was actually working - when I tried connecting to this from a Linux box, it worked perfectly, first go. I suspect the issue I was having might be related to my Windows instance being run in a vmware server vm. I' ve had issues with vmware' s bridging code in the past, it might be that it can' t handle ipsec properly. When I tried Forticlient on a real Windows box, the ipsec link worked fine. Still having some issues, but I' ll bring them up in the Forticlient forum...
New Contributor

some system have can not do dailup vpn in main mode they need aggressive mode