- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Win. Native Rem. Acc. throug L2TP-IPSec VPN from W...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL router
I use the Fortigate60E as firewall and router behind a DSL modem. The FGT is connected to the DMZ port of the DSL modem (FritzBox 7360). I'm able to log in to the FritzBox on port 442, and the management port of the FGT is HTTPS: 444. I'm also able to login to the FGT from a remote desktop. The Physical settup is: Internet (public IP) <--> Frtizbox (192.168.1.1) <--> (192.168.1.20) Fortigate 60E <--> (192.168.2.1/24) Lan Clients. The Lan Clients is on port 2 (as Interface, not as LAN port).
port 2 (internal1) has static IP adress 192.168.2.1 with DHCP Server (s.i.p: 192.168.2.10, e.i.p: 192.168.2.254) no Secondary IP Address. The wan1 interface has addressing mode: DHCP (from FritzBox, which assigns static IP address: 192.168.1.20) with Acquired DNS 192.168.1.1 and Default Gateway: 192.168.1.1 (= FritzBox LAN port 1). Retrieve default gateway from server is on and Override internal DNS is also on.
I'm also able to port forward VOIP settings to a local PBX server and WebDav ports to a NAS in the local network. When I create a IPSec tunnel with the IPSec Wizard and choose for Remote Access and Windows Native, and fill in all settings:
2) Incoming Interface: Wan1 (192.168.1.20), Pre-shared key, User Group (VPN-Users)
3) Local interface: Lan-Clients (192.168.2.1/24), Local Address: all, Client Address Range: 10.10.100.1-10.10.100.100, Subnet Mask: 255.255.255.255
When I try to connect from remote Client I see the tunnel is coming up, but the VPN Events only are showing negotiate failures on the IPSec phase 1 connector.
What should I do to make this work?? I've spend days searching the Forti Cookbook and forums and Youtube video's, but it won't work..
Please help!
Labels:
- Labels:
-
5.4
31 REPLIES 31
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jining,
Than I think that'll be the issue. If the FGT is connected to the Internet direct, we've no problem, If connected to DSL router (as an exposed host, so all ports will be forwarded to FGT), we have to deal with the double NAT problem.
I've attached a log file when trying to connect with the L2TP-IPSec vpn to the FGT.
Hope you can see someting in it?
Thanks alot!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I log the packet capture files for both ports?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more update:
Setting up a PPTP connection isn't a problem. Also a SSL-VPN connection isn't a problem, only the L2TP-IPSec vpn connection is a problem.
I have to little knowledge of VPN protocols to choose between these 3 protocols. After searching many days on the internet I find the IPSec (over L2TP) protocol should be the fastest one and maybe also the most secure one?
Again thanks for the support!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try changing the near end selector (network) to the public IP of the DSL box.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Bob,
Thank you for your reply!
I'm just a starter with Fortinet, and don't understand well what you mean... Can you please explain a bit more what you mean by changing the near end selector? How should I do that?
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Leander,
From you debug, we can see ISAKMP SA negotiation failure.
Would you post the following FGT config?
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
show vpn l2tp
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Leander,
Thanks for your config.
It looks like phase1 proposal and dh group doesn't match the incoming one.
I suggest you add the following proposal to phase1 and phase2 config and change phase1 dhgrp to 5.
3des-sha256 aes128-sha256 aes192-sha256
Regards,
Jining
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jining,
It looks like you've helped me one step further!!
First I got a Phase1 negotiation error (see attached file), with the dhgrp set to 5 now phase 1 isn't giving a problem. But now I get a negotiation error on phase 2. I'll post that picture in the next post.
Hope that can be solved also...
Thank you!
Related Posts
- Forticlient blocks LAN connection 464 Views
- IKEv2 IPSec Troubleshooting Tips needed on... 589 Views
- Problem connecting to FortiGate IPsec VPN... 241 Views
- Disconnects with Windows 11 PC /... 1668 Views
- Windows 11/FortiClient Issue 720 Views
Labels
-
FortiGate
6,593 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.