Hello,
this is not an help request but something I stumbled upon while configuring IPSec VPN Access fom my users.
It's a long post, so be warned.
Here are the symptons:
- Client doesn't connect on first try, only on second attempt (and sometimes at third)
- Subsequent connections fails in the same way
- Sometimes, after connecting, I got a disconnection message BUT VPN remains active and I still can access remote resources).
Looking at wireshark, I saw that IPSec packets were sent out long after client timed out, like it takes lot of time before establishing the tunnel.
At the beginning I pointed my attention to other cybersec tool we have, but turned out they were not doing anything.
After some digging I finally discovered something I'd like to share
- When Forticlient IPSec tries to connect, it first stop and then disable Windows IPSec services (namely IKE and AuthIP IPsec Keying Modules and IPSec policy agent) and then raise his IPSec process (IPSEC.EXE) which, in turn, manages the tunnel.
- When disconnecting, it reenable Windows services.
So far so good, but on my computer I found that it take ages to stop Windows services. I tried doing it manually and discovered that when I stop ipsec service, it immediatly restart. After lot of trying I was eventually able to finally stop the service.
Now I understood what is happening: forticlient tries to stop windows ipsec, it takes several times so connection time out.
I looked at Windows IPSec policies and found a couple of policies I've created just for test and completely forgot to remove: that explains why I was unable to stop IPSec, it need to be running to execute my policies!
Cleaning Windows IPSec policies solved my issue.
Hope to help someone.
Have a nice day
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Great finds, ATosI5 - thanks for sharing! I hope this helps other users too. I'm sure you're not the only one.
thanks for the post, i have a question so now do you disable the ipsec policy agent and the IKE or do you let it on its own(forticlient) disable them
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
224 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.