Hello all,
I am trying to set up IPSec Dialup VPN. I have downloaded the FortiGate VM version 6.4 and have FortiClient 6.0.5. I have done the configurations as per guides and followed some youtube videos for understanding.
However, I am unable to make it work and stuck. On FortiClient, I get the following error:
"VPN connection failed. Please check your configuration, network connection and pre-shared key then retry you connection. If the problem persists, contact your network administrator for help."
On FortiGate CLI, I get the following logs with debugging enabled:
FortiGate-VM64 # ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=SA_INIT id=a20511ee474b2950/0000000000000000 len=428 ike 0: in A20511EE474B295000000000000000002120220800000000000001AC2200005402000028010100040300000801000002030000080200000203000008030000020000000804000005000000280201000403000008010000020300000802000005030000080300000C0000000804000005280000C800050000C0D448858F6E8C21E68CDCCAA3EE84A229E439A0F49E666E3CD864112868B385B4D1E088332241817EAE9B21D8DED06F97C99DCD6B464B4D57EFCA4248B8D4825D2B7E7E965990297DAD47DCB81DDF8DDA862E45815FA88CE16009533B80B286FE6C84A157889D98708A10FCD7BE8814FD7DBD6270D13472F7C24BDEFD17B59A0107FDC54C0694DE3BAD200AEFC9964D7CBB586B4138E7AA41E871505CEE5E4368393266F2712D18AEF3921D44B85B54221B6DA054EFA5C9866EBFF73076CB302B000014FD962DC50AE8EF7D0B2CF8C65B325CBD2B0000144C53427B6D465D1B337BB755A37A7FEF29000014B4F01CA951E9DA8D0BAFBBD34AD3044E2900001C00004004E0F8879208723CB28770AEDB1A29B0CAE41571420000001C00004005E6BBF6BD24D8BCA3AB795F4A31A54D9EB7327932 ike 0:a20511ee474b2950/0000000000000000:71: responder received SA_INIT msg ike 0:a20511ee474b2950/0000000000000000:71: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF ike 0:a20511ee474b2950/0000000000000000:71: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_SOURCE_IP ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_DESTINATION_IP ike 0:a20511ee474b2950/0000000000000000:71: incoming proposal: ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 2: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: matched proposal id 1 ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1: ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2: ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536. ike 0:a20511ee474b2950/0000000000000000:71: lifetime=86400 ike 0:a20511ee474b2950/0000000000000000:71: SA proposal chosen, matched gateway IPSECVPN ike 0:IPSECVPN: created connection: 0xc59a950 4 192.168.10.5->192.168.10.50:500. ike 0:IPSECVPN: HA L3 state 1/0 ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_SOURCE_IP ike 0:IPSECVPN:71: processing NAT-D payload ike 0:IPSECVPN:71: NAT not detected ike 0:IPSECVPN:71: process NAT-D ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:IPSECVPN:71: processing NAT-D payload ike 0:IPSECVPN:71: NAT not detected ike 0:IPSECVPN:71: process NAT-D ike 0:IPSECVPN:71: enable FortiClient endpoint compliance check, use 10.10.10.10 ike 0:IPSECVPN:71: responder preparing SA_INIT msg ike 0:IPSECVPN:71: out A20511EE474B295093648E582E8BEA7C21202220000000000000015C2200002C00000028010100040300000801000002030000080200000203000008030000020000000804000005280000C800050000D216747DF7034B0F76323CC6DBDD41719687B9667463B8DAD252E5B7381407EA80DD104551DFBBA094C7FC0E8771505D9DC0FDA8ACFE43056E650DA9189330AD81A9A7ADCAA7DE004D6EFEEABBB5BF496E4EEFB2A1BAAF484B4CFDA3DED282F60B4CD1040EE921C2CD3DB45292BDE5FA9429F881D3AFD504078299F88019834A11A6D9D98D607BF37C19746103AD8B4219D86DF26AB624CE706DEBA6CA5E63DDFBD63F2F9F75D3B4111D4FF841632FB6FDCB0D67DA6596D08292D4F469BD8D05290000144E8998F2AB9900D9811C2E60A75117CE2900001C00004004D17F862FB62274F299D96A88374E9079DC0142130000001C00004005C45180DA3778084B454FA63BF35201D38F4C40EC ike 0:IPSECVPN:71: sent IKE msg (SA_INIT_RESPONSE): 192.168.10.5:500->192.168.10.50:500, len=348, id=a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ei 8:AF6280DC5B063F49 ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_er 8:25804A503CD26B9B ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ai 20:43D47C3D0E103AB78D997949C0748BCCD4684C35 ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ar 20:E3FAB0875756F0D84F469C1A7FB6EFCC51417302 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0:IPSECVPN:71: dec A20511EE474B295093648E582E8BEA7C2E20230800000001000000F0230000042900000C01000000C0A80A322F000008000040002100004001000000000700104643543830303231313430303137323200010000000200000003000000040000000D000070010000540A0000540B0000700000002C00004C02000024010304033F045CEF0300000801000002030000080300000C000000080500000000000024020304033F045CEF0300000801000002030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF ike 0:IPSECVPN:71: responder received AUTH msg ike 0:IPSECVPN:71: processing notify type INITIAL_CONTACT ike 0:IPSECVPN:71: peer identifier IPV4_ADDR 192.168.10.50 ike 0:IPSECVPN:71: re-validate gw ID ike 0:IPSECVPN:71: gw validation failed ike 0:IPSECVPN:71: schedule delete of IKE SA a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN:71: scheduled delete of IKE SA a20511ee474b2950/93648e582e8bea7c ike 0:IPSECVPN: connection expiring due to phase1 down ike 0:IPSECVPN: deleting ike 0:IPSECVPN: deleted ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike shrank heap by 159744 bytes ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001 ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4.... ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268 ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
As it says gw validation failed, what could be the issue?
Waiting for kind response,
Regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.