I use the Fortigate60E as firewall and router behind a DSL modem. The FGT is connected to the DMZ port of the DSL modem (FritzBox 7360). I'm able to log in to the FritzBox on port 442, and the management port of the FGT is HTTPS: 444. I'm also able to login to the FGT from a remote desktop. The Physical settup is: Internet (public IP) <--> Frtizbox (192.168.1.1) <--> (192.168.1.20) Fortigate 60E <--> (192.168.2.1/24) Lan Clients. The Lan Clients is on port 2 (as Interface, not as LAN port).
port 2 (internal1) has static IP adress 192.168.2.1 with DHCP Server (s.i.p: 192.168.2.10, e.i.p: 192.168.2.254) no Secondary IP Address. The wan1 interface has addressing mode: DHCP (from FritzBox, which assigns static IP address: 192.168.1.20) with Acquired DNS 192.168.1.1 and Default Gateway: 192.168.1.1 (= FritzBox LAN port 1). Retrieve default gateway from server is on and Override internal DNS is also on.
I'm also able to port forward VOIP settings to a local PBX server and WebDav ports to a NAS in the local network. When I create a IPSec tunnel with the IPSec Wizard and choose for Remote Access and Windows Native, and fill in all settings:
2) Incoming Interface: Wan1 (192.168.1.20), Pre-shared key, User Group (VPN-Users)
3) Local interface: Lan-Clients (192.168.2.1/24), Local Address: all, Client Address Range: 10.10.100.1-10.10.100.100, Subnet Mask: 255.255.255.255
When I try to connect from remote Client I see the tunnel is coming up, but the VPN Events only are showing negotiate failures on the IPSec phase 1 connector.
What should I do to make this work?? I've spend days searching the Forti Cookbook and forums and Youtube video's, but it won't work..
Please help!
These are the Phase 2 settings.
I had to disable the PFS, because otherwise I get the error on the laptop:
The L2TP connection attemt failed because the security layer could not negotiate compatible parameters with the remote computer.
I don't know if disabling the PFS is the bottleneck?
One thing you can try is config FGT phase2 "set replay disable" and uncheck "enable reply detection" on windows
another change can be PFS, you can "set pfs enable" on FGT phase2 and change this option on windows according.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.