[SOLVED] IPSEC VPN Problem with FortiGate 50B

Agaufres · ‎10-02-2013

Hello Everyall, I' m trying to setup a VPN IPSEC with a FortiGate 50B. To use with iPhone + Mac clients. I did this tutorial: http://docs.fortinet.com/cb/html/index.html#page/FOS_Cookbook/IPSec/cb_ipsecvpn_iphone.html (I had no DMZ Interface listed on the firewall, so i had to bypass the Policy + DMZ step. Should i add a DMZ zone ? I' m not familiar with this kind of interface) All i can get is error 37125

no matching gateway for new request phase 2

I tried to changed the username and peer, the error is the same. So if i use a wrong username or password, there is no difference, still 37125. I' m thinking about the NAT and Ports, do i need to open some ? Or the Fortigate Firewall is enough smart to open automatically if VPN IPSEC is activated ? Best regards and thanks for your answers. =)

emnoc · ‎10-02-2013

Posting a copy of the config would be more helpful, but i suspect a authentiction issues with the PSK or xauth

PCNSE

NSE

StrongSwan

Agaufres · ‎10-03-2013

Hello Emnoc, You' ll find the complete configuration here: (The peer name is iphone on the screenshot, but i tried with accept all but it' s the same error) Config:

Phase 1:

Phase 2:

Thank you very much for your help.

Fullmoon · ‎10-04-2013

what about changing the Phase1 Mode from Main to Aggressive?

Fortigate Newbie

abc987 · ‎10-05-2013

I see 2 main problems here: 1. for iPhone you must not use PFS (built-in Cisco client doesn' t) 2. in CLI you have to ' set mode-cfg enable' and set your values http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33376&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=53845675&stateId=0%200%2053843978 Have fun!

FCNSP/WCSP

Agaufres · ‎10-04-2013

Didn' t worked =( I did 6 tries with my iPhone and my Macbook always exactly the same error as the screenshot.

Agaufres · ‎10-04-2013

Now i' ve changed all the configuration to fit this tutorial: http://www.youtube.com/watch?v=nDaK31GxrmA I can' t create the VPN with the assistant, so i did manually. The result is better, but i still have an error: " Negociation failed with the VPN Server" Here is the result on the EventViewer, all seems green this is weird:

And i used the CLI Diagnose to check the problem, here is the content:

ike 0:iOS_p1_0:29: mode-cfg type 28672 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28672 ike 0:iOS_p1_0:29: mode-cfg type 28674 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28674 ike 0:iOS_p1_0:29: mode-cfg type 28675 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28675 ike 0:iOS_p1_0:29: mode-cfg type 28676 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28676 ike 0:iOS_p1_0:29: mode-cfg type 28678 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28678 ike 0:iOS_p1_0:29: mode-cfg type 28679 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28679 ike 0:iOS_p1_0:29: mode-cfg type 28673 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28673 ike 0:iOS_p1_0:29: mode-cfg type 28680 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28680 ike 0:iOS_p1_0:29: mode-cfg type 28681 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg not enabled, ignoring Configuration Method Request 28681 ike 0:iOS_p1_0:29: mode-cfg type 28683 request 0:' ' ike 0:iOS_p1_0:29: mode-cfg attribute type 28683 not supported, ignoring ike 0:iOS_p1_0:29: confirmed nat-t RFC 3947 ike 0:iOS_p1_0:29: sent IKE msg (cfg_send): 12.12.12.12:4500->13.13.13.13:4500, len=108 ike 0:iOS_p1_0: link is idle 12 12.12.12.12->13.13.13.13:4500 dpd=1 seqno=1 ike 0:iOS_p1_0: link is idle 12 12.12.12.12->13.13.13.13:4500 dpd=1 seqno=2 ike 0:iOS_p1_0:29: send IKEv1 DPD probe, seqno 2 ike 0:iOS_p1_0:29: confirmed nat-t RFC 3947 ike 0:iOS_p1_0:29: sent IKE msg (R-U-THERE): 12.12.12.12:4500->13.13.13.13:4500, len=92 ike 0: comes 13.13.13.13:4500->12.12.12.12:4500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=d426247074bdaa79/8b3663503e5b3c69:47d3c907 len=92 ike 0: found iOS_p1_0 12.12.12.12 12 -> 13.13.13.13:4500 ike 0:iOS_p1_0:29: notify msg received: R-U-THERE-ACK ike 0:iOS_p1_0: link is idle 12 12.12.12.12->13.13.13.13:4500 dpd=1 seqno=3 ike 0:iOS_p1_0:29: send IKEv1 DPD probe, seqno 3 ike 0:iOS_p1_0:29: confirmed nat-t RFC 3947 ike 0:iOS_p1_0:29: sent IKE msg (R-U-THERE): 12.12.12.12:4500->13.13.13.13:4500, len=92 ike 0: comes 13.13.13.13:4500->12.12.12.12:4500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=d426247074bdaa79/8b3663503e5b3c69:117e9a53 len=92 ike 0: found iOS_p1_0 12.12.12.12 12 -> 13.13.13.13:4500 ike 0:iOS_p1_0:29: notify msg received: R-U-THERE-ACK ike 0: comes 13.13.13.13:4500->12.12.12.12:4500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=d426247074bdaa79/8b3663503e5b3c69:446351ed len=92 ike 0: found iOS_p1_0 12.12.12.12 12 -> 13.13.13.13:4500 ike 0:iOS_p1_0:29: recv ISAKMP SA delete d426247074bdaa79/8b3663503e5b3c69 ike 0:iOS_p1_0: deleting ike 0:iOS_p1_0: flushing ike 0:iOS_p1_0: sending SNMP tunnel DOWN trap ike 0:iOS_p1_0: flushed ike 0:iOS_p1_0: delete dynamic ike 0:iOS_p1_0: deleted

If you have any idea, it would be great !! :D

Agaufres · ‎10-06-2013

Holly S#!T !!! Thank you !!! You Are The Boss !! It' s working well :))))) The exact thing you wrote is true: 1) Disable PFS 2) Apply this configuration (with others values) config vpn ipsec phase1-interface edit " AppleVPN" set type dynamic set interface " wan1" set dhgrp 2 set peertype one set xauthtype auto set mode aggressive set mode-cfg enable set proposal aes256-md5 aes256-sha1 set peerid " apple" set authusrgrp " AppleVPNUsers" set ipv4-start-ip 10.3.3.1 set ipv4-end-ip 10.3.3.254 set ipv4-netmask 255.255.255.0 set psksecret <tunnel password here> end THANKS !