- When there is a VPN Dialup trying to connect from an Android device using the FortiClient VPN app, the connection does not work and the debug output is the following:
ike 0::57: peer identifier IPV4_ADDR 192.168.1.9
ike 0: IKEv1 Aggressive, comes 152.203.102.115:500->10.1.0.16 3
ike 0:99e90a0d7e6f491e/0000000000000000:57: my proposal, gw Test:
ike 0:99e90a0d7e6f491e/0000000000000000:57: proposal id = 1:
ike 0:99e90a0d7e6f491e/0000000000000000:57: protocol id = ISAKMP:
ike 0:99e90a0d7e6f491e/0000000000000000:57: trans_id = KEY_IKE.
ike 0:99e90a0d7e6f491e/0000000000000000:57: encapsulation = IKE/none
ike 0:99e90a0d7e6f491e/0000000000000000:57:
ike 0:99e90a0d7e6f491e/0000000000000000:57: ISAKMP SA lifetime=86400
ike 0:99e90a0d7e6f491e/0000000000000000:57: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:99e90a0d7e6f491e/0000000000000000:57: no SA proposal chosen
- Based on the above debug, FortiGate does not receive any proposal, the negotiation fails, and the SA is not chosen.
- If it happens that the WAN interface for the VPN connection has a secondary IP address and the secondary IP is used to connect to the VPN, it is necessary to configure the secondary IP as a local gateway for the VPN.
- Configure the local gateway for the IPSEC tunnel.
config vpn ipsec phase1-interface
edit MyVPNTunnel
set interface wan1
set local-gw 10.1.0.16
end
|
