Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- vpnipsec phase2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vpnipsec phase2
hello,
i have problem with my vpn ipsec
i tried to connect to vpn but i have error during phase 2
and on wireshark
i'm stuck at here
same on forticlient log, i have no idea why
config :
same auth-encryption for vpn settings and client
good selectors for phase 2 ( src and dest addresses )
why quick mode failed ?
i can share log from CLI
thanks
Solved! Go to Solution.
Labels:
- Labels:
-
IPsec
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i know like i said the error is during phase 2
i tried at least 20 times new vpn aha
okay thanks i will test on other config maybe
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
some logs would help
"jack of all trades, master of none"
"jack of all trades, master of none"
Created on 04-24-2025 05:05 AM Edited on 04-24-2025 07:13 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your repply @funkylicious
see logs , i just hide some ip :
ike V=root:0: comes x.x.x.x:500->xxxxxx:500,ifindex=17,vrf=0,len=572....
ike V=root:0: IKEv1 exchange=Aggressive id=ac4e19fe3023317d/0000000000000000 len=572 vrf=0
ike 0: in AC4E19FE3023317D000000000000000001100400000000000000023C04000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010
007800E008080030001800200018004000E0000002802010000800B0001000C00040001518080010007800E010080030001800200048004000E0A0001045D953284DDC2E84FADC5A883C0F4
84961050A7F03EA46A882B94E94124A7554CF89766395F17B3FD5214236C5770751EF4C60DC2892AF00CE5C350F987EE7670ED03938414FF0192290331715A95CD4679F6650BDAF6E95F89F
4070CDFAB862176453B6894F714C0CD56D77938AE7C876006E3F0FAE8C0BD9EB3899958DF5861F68E5C4FAAF8A17134DF6C57C98D89ED268A92909101AB84A1D0E4D4941C4E5BE5CD06327F
0573DA00A4D95FF6F30B81B03C8F8D2B51258514CB7D2C2E229CBC052F9ECCE7A12F0146A1C5964AF2E333CD7AE14367C55BFAF98314D830E3239D4CF32E16C315BBAF92B6AAA80BF1D9DCA
2C8C7492B0E8C32F190DB6C3CB2685105000014E19BFED6FAC6C6DE47D0FF4AEC6749910D00000C010000009F54224B0D00001412F5F28C457168A9702D9FE274CC01000D0000144A131C81
070358455C5728F20E95452F0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C09002689DFD6B7120D000014AFCAD
Created on 04-24-2025 05:09 AM Edited on 04-24-2025 05:13 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i assume that you are using the VPN Only version of FortiClient and not one managed by a EMS.
if so, https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/710480 try disabling ems-sn-check, which is enabled by default starting with 7.6
as for phase-2 selectors, i would leave the default ones for src and dst 0.0.0.0/0
"jack of all trades, master of none"
"jack of all trades, master of none"
Created on 04-24-2025 05:18 AM Edited on 04-24-2025 07:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when i disable ems check i have new logs
ike V=root:0: comes x:500->y:500,ifindex=17,vrf=0,len=572....
ike V=root:0: IKEv1 exchange=Aggressive id=62a2b101026465ac/0000000000000000 len=572 vrf=0
ike 0: in 62A2B101026465AC000000000000000001100400000000000000023C04000064000000010000000100000058010100020300002801010000800B0001000C000400015180
ike V=root:0:vpn4_0:116: mode-cfg type 4 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg WINS ignored, no WINS servers configured
ike V=root:0:vpn4_0:116: mode-cfg type 13 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 8 request 0:''
ike V=root:0:vpn4_0: IPv6 pool is not configured
ike V=root:0:vpn4_0:116: mode-cfg could not allocate IPv6 address
ike V=root:0:vpn4_0:116: mode-cfg type 9 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 10 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 11 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 11 not supported, ignoring
ike V=root:0:vpn4_0:116: mode-cfg type 15 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 25 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg type 28672 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28672 requested
ike V=root:0:vpn4_0:116: mode-cfg no banner configured, ignoring
ike V=root:0:vpn4_0:116: mode-cfg type 28674 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28674 requested
ike V=root:0:vpn4_0:116: mode-cfg no domain configured, ignoring
ike V=root:0:vpn4_0:116: mode-cfg type 28675 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28675 requested
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28675 not supported, ignoring
ike V=root:0:vpn4_0:116: mode-cfg type 28678 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28678 requested
ike V=root:0:vpn4_0:116: mode-cfg type 28673 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg UNITY type 28673 requested
ike V=root:0:vpn4_0:116: mode-cfg type 21514 requested
ike V=root:0:vpn4_0:116: mode-cfg type 21515 requested
ike V=root:0:vpn4_0:116: mode-cfg type 7 request 0:''
ike V=root:0:vpn4_0:116: mode-cfg assigned (1) IPv4 address 10.10.10.1
ike V=root:0:vpn4_0:116: mode-cfg assigned (2) IPv4 netmask 255.255.255.248
ike V=root:0:vpn4_0:116: mode-cfg send (13) 0:0.0.0.0/0.0.0.0:0
ike V=root:0:vpn4_0:116: mode-cfg send (3) IPv4 DNS(1) xxx
ike V=root:0:vpn4_0:116: mode-cfg send (3) IPv4 DNS(2) xxx
ike V=root:0:vpn4_0:116: mode-cfg assigned (9) IPv6 prefix 128 netmask ffffffffffffffffffffffffffffffff
ike V=root:0:vpn4_0:116: mode-cfg send INTERNAL_IP6_SUBNET
ike V=root:0:vpn4_0:116: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found
ike V=root:0:vpn4_0:116: mode-cfg send APPLICATION_VERSION 'FortiGate-201E v7.6.3,build3510,250415 (GA.F)'
ike V=root:0:vpn4_0:116: mode-cfg send (28673) UNITY_SAVE_PASSWD
ike V=root:0:vpn4_0:116: client auto-negotiate is disabled
ike V=root:0:vpn4_0:116: client-keep-alive is disabled
ike 0:vpn4_0:116: enc 62A2B101026465ACA2262125D199071408100601B1AE0E94000000C20E000014D2E99EA46786D435AF78760A94C78C290000009202002BC1000100040A0A0A0100020004FFFFFFF8000D0008000000000000000000030004602D2D2D00030004602D2E2E00090010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000F001100000000000000000000000000000000000007002D466F727469476174652D323031452076372E362E332C6275696C64333531302C323530343135202847412E4629F0010001
ike 0:vpn4_0:116: out 62A2B101026465ACA2262125D199071408100601B1AE0E94000000CC49B71A405ADDA49538A85397F29AF6114E53ADE8BB4A6385D9EA5FAE8E277E7FEFA84354C8207994D9D3A521348CC77E0F625C29784C69006E1AD5A45783ABE5BEDA627040239A946F0478010FC8B72C4230418C18ABA034C77DF911364F7CE2B0A259881C62B56FE4B06864E9399CDE47942E4A06251972ED61D84D152DE78C32566FDF6A490FAF939DA91A3DE902B84CC317154F5B79F24A38E44EFF4161DB414E6A3F0E85FE57D329393FA437A460
ike V=root:0:vpn4_0:116: sent IKE msg (cfg_send): x:500->y:500, len=204, vrf=0, id=62a2b101026465ac/a2262125d1990714:b1ae0e94
but not error for phase 2
any idea ?
thanks :)
Created on 04-24-2025 05:25 AM Edited on 04-24-2025 05:27 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share the configuration for both phase1 and phase2 from cli or gui ( w/o sensitive information like public ip and psk ) ?
as for phase-2, try leaving it at the default values of 0.0.0.0/0 if not already since you mentioned in the first post that they are correct - by that i would suspect that you have changed them.
is it split-tunnel or a full-tunnel setup and are you using XAUTH for with/a specific peer id in phase-1 ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Created on 04-24-2025 05:34 AM Edited on 04-24-2025 07:14 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i tested split and full,
any id not spcecific
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i'm not mistaken, under phase2 if you edit/expand vpn4 you should also have PFS enabled and DH ( which i know are by default in older version, i don't have access to a device with 7.6.X to see how they are by default ), which in your FCT config are missing.
please have a look at that that confirm this suspicion.
in the firewall rules, i guess you already have srcintf vpn4 > dstintf INTF-X and srcaddr the range that would be allocated to you, without the group.
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PFS are disabled both in fct config and forti config
yeah already have rule :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in this case, the configuration seems to match for phase1 and phase2.
it's kinda strange why it would not connect. i feel like some logs in regards to phase2 and why it's not coming up are somewhere in there.
this as a side note, i had plenty of issues where the client would not connect, although everything was in order. this was resolved by deleting the IPsec VPN config in FortiClient and redoing it and then it worked, maybe try this also.
"jack of all trades, master of none"
"jack of all trades, master of none"
Labels
-
FortiGate
10,495 -
FortiClient
2,130 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
673 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
405 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
124 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
65 -
Certificate
62 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2538 | |
| 1351 | |
| 795 | |
| 642 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.