Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- only one VPN client can establish connection at o...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-02-2005 02:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
only one VPN client can establish connection at one time
We are currently using the Kerio Firewall 6.x to connect to the remote site using the Fortigate 100A. However, only one VPN client (forticlient v1.2.04) can connect to the VPN gateway at one time. The other workstation will fail to established the VPN connection.
We set the outbound rule as follows for the VPN connection:
Sources Destination Services allow Translation
------------- --------------- ------------------------ -----------------
internal IPs VPN gateway UDP 500, UDP 4500 NAT to WAN IP
In the Fortigate 100A VPN gateway, we set the encryption rule with dial_up VPN gateway and place the rule at the top of the firewall policies.
Thx
17 REPLIES 17
Not applicable
Created on 03-02-2005 02:31 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you assing IP' s?
If your not using DHCP over IPsec, but static address in the VPN client and they are the same, that would explain why only one vpn client can connect at the same time.
Regards, Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have different IP assigned to each client. In fact, we are able to have multiple clients behind a NETGEAR firewall connected to the VPN. However, we' re having problem with clients behind Kerio WinRoute Firewall. We actually reconfigure our settings on Kerio so that it' s identical to the settings of NETGEAR. Even with that, only one client is allowed to get connected.
From the log we saw the Phase 1 was okay. However, the next thing we saw is error message (from client behind Kerio) below:
" No response from peer, retransmit [st=1]"
Not applicable
Created on 03-02-2005 01:09 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to make a specific rule in the kerio fw? like allow port 450 etc?
Does it work if you disable the Kerio FW?
I assume you connect in agressive mode?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the NAT rule, change the outbound rule to just allow traffic through and NOT to nat it to a specific IP/Port.
Then the outbound connections will have DIFFERENT source ports and should then work fine.
With the rule you have, all clients would be natted behind one port on the firewall, so the returning packets would mostly return to the first machine that was connected. (this is common).
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UkWizard,
I have the same problem as fortigate@hhlmail.com, I have checked NAT option in rule All(internal)->All(external), and disabled Fix Port option. But now only one dialup VPN tunnel can be established, Static VPN tunnel all work fine.
Thanks.
Harward Gao
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Explain your setup and problem in more detail.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Uk Wizard,
We use Fortinet 800, which have set some static ip and dailup IPSEC tunnels.
Remote gateway is Draytek vigor 2200E , 2300 or 2900.
For 2200E do not support local ID, we use UserID+preshared key instead(refer to Fortinet VPN Guide).
All static IP connection work fine, the first dailup connection work fine, but the other dailup connections are failed.
The dailup tunnels were set to main mode, remote_dateway=dailup_user group,
auth=presharedkey, accept any peer ID.
Remote preshared key is set as dailup_user ID+presharedkey(Central Gateway).
Firewall policies is created and move to top.
By the way, sometimes I found remote gaeway is offline but monitor still show the tunnel is up.
Thank you.
Regards,
Harward Gao
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So are you saying that you have multiple drayteks connecting to the Fortinet in dialup vpn mode ?
Have you got static IP addresses for the drayteks ?
The problem could be the fact that you are using the dialup method for multiple site-to-site connections. Dialup configuration is for Client VPNs, not for site-to-site.
try using a rule for each and use a DynDNS service for name resolution if the IP addresses are not static. There are free ones out there like dyndns.com
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi UK Wizard,
Sure, I have multiple Drayteks connecting to the Fortinet in dialup vpn mode.
For agressive mode, Draytek 2200 series route does not support local PeerID configuration.What should I do to setup agressive mode tunnels with it?
By the way, dyndns.com often got errors in get ip addresses.
Thanks.
Regards,
Harward Gao
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,845 -
FortiClient
1,793 -
5.2
801 -
FortiManager
751 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
485 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
30 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1749 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.