Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
os1001
New Contributor

Forticlient, IPSEC and Certificates

Hello, I hope that maybe someone can help me with this. I have a FGT80C with Version 5.0.2 and a Forticlient 5.0.1. I try to setup an IPSEC VPN with Certificates and can' t get this to work. When I use a PSK the Connections comes up. The Configuration of the Firewall: config vpn ipsec phase1-interface edit " Remote" set type dynamic set interface " wan1" set authmethod rsa-signature set peertype peergrp set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set rsa-certificate " 80C" set peergrp " Cert_User" set ipv4-start-ip 10.254.254.1 set ipv4-end-ip 10.254.254.14 set ipv4-netmask 255.255.255.0 set dns-mode auto set ipv4-split-include " PM_Network" next end config vpn ipsec phase2-interface edit " Remote" set phase1name " Remote" set proposal 3des-sha1 aes128-sha1 next end In the Debug I can see the following: 2013-05-14 16:28:32 ike 0: comes 92.79.191.198:500->62.72.87.100:500,ifindex=4.... 2013-05-14 16:28:32 ike 0: IKEv1 exchange=Identity Protection id=d94dd2ded8ef755b/0000000000000000 len=336 2013-05-14 16:28:32 ike 0: in D94DD2DED8EF755B00000000000000000110020000000000000001500D00009C000000010000000100000090010100040300002001010000800B0001800C7080800100058003000380020001800400050300002002010000800B0001800C7080800100058003000380020002800400050300002403010000800B0001800C708080010007800E00808003000380020001800400050000002404010000800B0001800C708080010007800E00808003000380020002800400050D0000144A131C81070358455C5728F20E95452F0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B71200000014AFCAD71368A1F1C96B8696FC77570100 2013-05-14 16:28:32 ike 0: cache rebuild start 2013-05-14 16:28:32 ike 0:Remote: cached as dynamic 2013-05-14 16:28:32 ike 0: cache rebuild done 2013-05-14 16:28:32 ike 0:Remote:13: responder: main mode get 1st message... 2013-05-14 16:28:32 ike 0:Remote:13: VID RFC 3947 4A131C81070358455C5728F20E95452F 2013-05-14 16:28:32 ike 0:Remote:13: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 2013-05-14 16:28:32 ike 0:Remote:13: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F 2013-05-14 16:28:32 ike 0:Remote:13: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF 2013-05-14 16:28:32 ike 0:Remote:13: enable FortiClient license check 2013-05-14 16:28:32 ike 0:Remote:13: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E 2013-05-14 16:28:32 ike 0:Remote:13: enable FortiClient endpoint compliance check, use 169.254.1.1 2013-05-14 16:28:32 ike 0:Remote:13: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 2013-05-14 16:28:32 ike 0:Remote:13: peer supports UNITY 2013-05-14 16:28:32 ike 0:Remote:13: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 2013-05-14 16:28:32 ike 0:Remote:13: VID DPD AFCAD71368A1F1C96B8696FC77570100 2013-05-14 16:28:32 ike 0:Remote:13: DPD negotiated 2013-05-14 16:28:32 ike 0:Remote:13: negotiation result 2013-05-14 16:28:32 ike 0:Remote:13: proposal id = 1: 2013-05-14 16:28:32 ike 0:Remote:13: protocol id = ISAKMP: 2013-05-14 16:28:32 ike 0:Remote:13: trans_id = KEY_IKE. 2013-05-14 16:28:32 ike 0:Remote:13: encapsulation = IKE/none 2013-05-14 16:28:32 ike 0:Remote:13: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. 2013-05-14 16:28:32 ike 0:Remote:13: type=OAKLEY_HASH_ALG, val=SHA. 2013-05-14 16:28:32 ike 0:Remote:13: type=AUTH_METHOD, val=RSA_SIG. 2013-05-14 16:28:32 ike 0:Remote:13: type=OAKLEY_GROUP, val=1536. 2013-05-14 16:28:32 ike 0:Remote:13: ISKAMP SA lifetime=28800 2013-05-14 16:28:32 ike 0:Remote:13: selected NAT-T version: RFC 3947 2013-05-14 16:28:32 ike 0:Remote:13: cookie d94dd2ded8ef755b/14db97b7eddd963a 2013-05-14 16:28:32 ike 0:Remote:13: out D94DD2DED8EF755B14DB97B7EDDD963A0110020000000000000000C80D000034000000010000000100000028010100010000002002010000800B0001800C7080800100058003000380020002800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757A36082C6A621DE00050093 2013-05-14 16:28:32 ike 0:Remote:13: sent IKE msg (ident_r1send): 62.72.87.100:500->92.79.191.198:500, len=200, id=d94dd2ded8ef755b/14db97b7eddd963a 2013-05-14 16:28:32 ike 0: comes 92.79.191.198:500->62.72.87.100:500,ifindex=4.... 2013-05-14 16:28:32 ike 0: IKEv1 exchange=Identity Protection id=d94dd2ded8ef755b/14db97b7eddd963a len=292 2013-05-14 16:28:32 ike 0: in D94DD2DED8EF755B14DB97B7EDDD963A0410020000000000000001240A0000C417A0D9362F40D18DE205182BD31F996DF00DBC96FF4665DC56DB4B23BAC0826C9DCFC906B961A711F6E665459E269D56C9A7BF3006F18245400345462E3ED112052D6A6B17D54E8B953541992E194916CBE9FCDC07A96ABD3BE35B451127F39ADC3C67ACD9F02795D36F95AE6906BE33D173E95F9630BE619C2C3813E1AC48CB157118AA573C07D981F179E2796D88C6D327B1FAC4D5370815E426311E68A64B991F8BA87D57452B52A82C72F72AA5B1B564CDB14BAA0EAA8CDFABE1C5C1B7EB140000149AD920430F6B1CB0A7620ADD7DB2EDFD140000180FFD90F9579191861AA21A0E48C8C604BDF12D9E000000183E27467B70CE9F1D4CA806ED0613F369C8A75B34 2013-05-14 16:28:32 ike 0:Remote:13: responder:main mode get 2nd message... 2013-05-14 16:28:32 ike 0:Remote:13: NAT detected: PEER 2013-05-14 16:28:32 ike 0:Remote:13: out D94DD2DED8EF755B14DB97B7EDDD963A0410020000000000000001290A0000C4CA74D5B61DB39365A7DDDF2D38B15391241F5AB0830C34F1FC7B1A2899348D8F2FAC85B11052B663BFA72727E98AF6086DBD1FB5A1C0539786959AD5C3210C34AA918FA982519B34C4ABE42F3557401421E96EDFE556E6F075730E7327BCF2B1A9856112142C4D268BFEE97721C78CCBD1710B26DAC625882E626F9EC41F2CB34A6B13F7736E6997C2C282C135EB1502B5225677AA7643B42B186B440F919E444F1B3B8C8AC354C8D5E87B550805AD0886C3A06BFAB17950A627D0550799A6AF07000014FA46F567D8C19066D13F5A3D438FB7061400000504140000186A351DF4C24231FD2CA57F3F37883111D6B2D0A0000000180FFD90F9579191861AA21A0E48C8C604BDF12D9E 2013-05-14 16:28:32 ike 0:Remote:13: sent IKE msg (ident_r2send): 62.72.87.100:500->92.79.191.198:500, len=297, id=d94dd2ded8ef755b/14db97b7eddd963a 2013-05-14 16:28:32 ike 0:Remote:13: ISAKMP SA d94dd2ded8ef755b/14db97b7eddd963a key 24:D333A21C48E22B3BC67997044CDE848019647292D0F5E52E 2013-05-14 16:28:32 ike 0: comes 92.79.191.198:4500->62.72.87.100:4500,ifindex=4.... 2013-05-14 16:28:32 ike 0: IKEv1 exchange=Identity Protection id=d94dd2ded8ef755b/14db97b7eddd963a len=1140 2013-05-14 16:28:32 ike 0: in D94DD2DED8EF755B14DB97B7EDDD963A0510020100000000000004747E977E22D6F6E9BDE61E239F111C42A8935F9861D1A4CDE2793FC380A7549834902C5833B7364484F47CFA52EAD553FA70CD244FCAAF5CE0D97C45225A998635F9894210E9D3201166166AB4BAB4E23C6540CFFF4F4E679C57B4EF2A21622ED93E47A4548D518B17F74C00EBD203238472153E7A45CC4F0FE6454B7453F317F6640599D3ADF6842400E785B7A34D0AD1D5A72C76683AC215B01B2196D45DEA37E79007B7E2D5121CF5F8DAF4DDD817487520C67BC7F9411430B6E8228BF5D14DB99E70C707A2DEE45DF2C60BEA10F60541412CC40F7CED2480C6AE4DB81BF82FA24E0F16AAAB4395F4ABAA1FF783226AE3CCAE9E9D758299F8BCF84CF41883C7392B37CD9984CCE017243B78370B02C200AF0669803A7E7BEEF0A3F4E72D75667FC95989C575BC094F7610713201150C7822F65E6BB12438617D91C244134CE13A6C51B8E715C66420C14407598827D67141200DA7CE91BCFA81FAC9F9C06CD345519B1A01430D768E1911A34633A88AC4F9BFDB50B267079A8705B718EEB357ACDEF96139AF7C56FB90A1FD2BDD0A7AD3CE329C2763D8F61E6FF0D683DEB81BA06BC7E6245980465EDD940DD5C5EB7DDDC828B76BC78CD559B71581B8E95E126BBF1688DB594C84EC1C11393C28DF4DDF17F6089B24C8C0E5403CFAF281B6829306B9CBCBF7430EF57CE26D0E24E17036BA63E83302ECBED5CBDF6B1C2B7569E4873B7FC02AB2B8E02F0992560D7C907CF5BE662E9666B8A4E146F4E18E11BC3A84E0CB764D3471AD88A82130051EB378BCD382FD03082D6B507050947EE8B207A2250AA5FC9F042C51476A94F92B466E4850791E9AD2CBDE7F74ABB81AE276D44D50B7393ED840070CB595ED981AE05C2DF53B2164A9EA983AF8B20A839F73DD6D34CAC574265B5D76C59A33E400CEBEDCE6570C7299F5B39EBC45EDA4BA5EBEE45341BDFC8186F27A12D7F5A58EF034165DFFB1C14A03583CFBA9BE6A910A279FFD95293162292FA7B45D55F0481AA48140B507A13215EABB6D2D34E9931CC63B26161D5CD56F15713B4D3EAD45DA0EEAB88C9AE677C45FD533BACEE05ED63505F2142A24FAAD76FFC967AAF01FE0F38D8D1157C96D067ABC249E6350FE335D04B4FAD771F10F98A06FEFFAB91F22FA16D3F86994CC46FDFA117AC39DA76062D8E5F4AD5377C2C6BE723807C6F13BB9E57482E5966D11D933470326FC79B5578EC8E2649C8F9FB65915A7F97F355A23BD47DAD406C7158A710AC2ACFD1021129D7FA151309EC480D50445F9802F3C67C1579F295C0EAD5BBF4C0E157E8DF858BA32311E25FEEE741628409B87DEE2BDB7CDD358A836503D2EEB8F3180347DC52CDAE3A7771837BD15F8C6C38F0DCC201F06248AE9698C8FE792FE1A8C2CA3A2B8A560B10E4E6EB4B45630236143F7E45CC9999B36501DCCB384633E5AD77DDFBEBBDFDA6D59B0CC773DE364751E5FF6A16AE2F0B5967A949C8A7CF71EABF98D38099E928BBE523C813424B5A76EA3EAA2F878F3F8CF7D74E9EA9B7EE553CD547BB7293C108F20F3F4B1D3834BB35748C8A2AE81449548 2013-05-14 16:28:32 ike 0:Remote:13: responder: main mode get 3rd message... 2013-05-14 16:28:32 ike 0:Remote:13: dec D94DD2DED8EF755B14DB97B7EDDD963A0510020100000000000004740600009D09000000308192310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310F300D060355040313064F6C69766572312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D09000313043082030A30820273A003020102020107300D06092A864886F70D0101050500308191310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310E300C06035504030C05504D5F4341312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D301E170D3133303531343030303030305A170D3433303530373233353935395A308192310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310F300D060355040313064F6C69766572312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100E0BC986E08DBC842A7E352E71D9D4DEE9CB3600841BE484E89E9F114886467110EA92B206362A778F8BB1EC7EABAAD26260B6DA4B26217B81E814E5EE3CBB3A46E3BF3663161A20505D0AD0E5F90E66EB0E0A59784E47F562BA35E59A728B2D2CA271748566FC0725D6E6A3C821E3BC23D75FA4D4F68BAC35A856ABDE1ABD3530203010001A36F306D300C0603551D130101FF04023000301D0603551D0E04160414921C7A0179C36CB83AF65A13B7F57346E07F21D4300B0603551D0F0404030205E0301106096086480186F8420101040403020640301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D0101050500038181000A177DE369D89D7BE98AFD59C3EF7442A8C278163638C485965DDFC8452B1568B73DEC2F15513566840FF5D30A0014DAD1BBA420CC57C9EEE0074A7194DB1415D8110759F82595811F588E5AF962CD95BECCC2BAA7A8017E6A6BDA6F7B61BA9350C77BF6AB49FC1C9F8EE8B00BE498443C923569CB4A9756E2ED5EA7C30CDBF0070000848F307D6F4611100A685BF80F0372ED0D349C226D4BF2DF7D573B6AAF3F39B5DBDA92EA53C2EA9AC7C5661D4CD840ECE44EC6CB1D881AF5A517EE439B2844E9D3BF4E98A8E39ECB13C13B10110E5CC8704B7B95B2051961EA2262D003B1DAF4622D96C99BEADE536C47EAAF9CDA978986841035B5D327D04AB59EDBA46E3D31F50B000005040000001C0000000101106002D94DD2DED8EF755B14DB97B7EDDD963A868502 2013-05-14 16:28:32 ike 0:Remote:13: received notify type 24578 2013-05-14 16:28:32 ike 0:Remote:13: Validating X.509 certificate 2013-05-14 16:28:32 ike 0:Remote:13: building fnbam peer candidate list 2013-05-14 16:28:32 ike 0:Remote:13: FNBAM_GROUP_NAME candidate ' Cert_User' 2013-05-14 16:28:32 ike 0:Remote:13: certificate validation pending 2013-05-14 16:28:32 ike 0:Remote:13: fnbam reply ' Cert_User' 2013-05-14 16:28:32 ike 0:Remote:13: fnbam matched peergrp ' Cert_User' 2013-05-14 16:28:32 ike 0:Remote:13: responder: main mode get 3rd message... 2013-05-14 16:28:32 ike 0:Remote:13: dec D94DD2DED8EF755B14DB97B7EDDD963A0510020100000000000004740600009D09000000308192310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310F300D060355040313064F6C69766572312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D09000313043082030A30820273A003020102020107300D06092A864886F70D0101050500308191310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310E300C06035504030C05504D5F4341312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D301E170D3133303531343030303030305A170D3433303530373233353935395A308192310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310F300D060355040313064F6C69766572312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100E0BC986E08DBC842A7E352E71D9D4DEE9CB3600841BE484E89E9F114886467110EA92B206362A778F8BB1EC7EABAAD26260B6DA4B26217B81E814E5EE3CBB3A46E3BF3663161A20505D0AD0E5F90E66EB0E0A59784E47F562BA35E59A728B2D2CA271748566FC0725D6E6A3C821E3BC23D75FA4D4F68BAC35A856ABDE1ABD3530203010001A36F306D300C0603551D130101FF04023000301D0603551D0E04160414921C7A0179C36CB83AF65A13B7F57346E07F21D4300B0603551D0F0404030205E0301106096086480186F8420101040403020640301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D0101050500038181000A177DE369D89D7BE98AFD59C3EF7442A8C278163638C485965DDFC8452B1568B73DEC2F15513566840FF5D30A0014DAD1BBA420CC57C9EEE0074A7194DB1415D8110759F82595811F588E5AF962CD95BECCC2BAA7A8017E6A6BDA6F7B61BA9350C77BF6AB49FC1C9F8EE8B00BE498443C923569CB4A9756E2ED5EA7C30CDBF0070000848F307D6F4611100A685BF80F0372ED0D349C226D4BF2DF7D573B6AAF3F39B5DBDA92EA53C2EA9AC7C5661D4CD840ECE44EC6CB1D881AF5A517EE439B2844E9D3BF4E98A8E39ECB13C13B10110E5CC8704B7B95B2051961EA2262D003B1DAF4622D96C99BEADE536C47EAAF9CDA978986841035B5D327D04AB59EDBA46E3D31F50B000005040000001C0000000101106002D94DD2DED8EF755B14DB97B7EDDD963A868502 2013-05-14 16:28:32 ike 0:Remote:13: already have certificate (type=4) 2013-05-14 16:28:32 ike 0:Remote:13: received notify type 24578 2013-05-14 16:28:32 ike 0:Remote:13: certificate validation succeeded 2013-05-14 16:28:32 ike 0:Remote:13: signature verification succeeded 2013-05-14 16:28:32 ike 0:Remote:13: authentication OK 2013-05-14 16:28:32 ike 0:Remote:13: enc D94DD2DED8EF755B14DB97B7EDDD963A05100201000000000000044A0600009A0900000030818F310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310C300A06035504031303383043312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D09000310043082030730820270A003020102020103300D06092A864886F70D0101050500308191310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310E300C06035504030C05504D5F4341312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D301E170D3133303531343030303030305A170D3433303530373233353935395A30818F310B3009060355040613026465310C300A060355040813034E5257310E300C060355040713054E65757373310C300A060355040A130349544D311A3018060355040B131150726F64756B746D616E6167656D656E74310C300A06035504031303383043312A302806092A864886F70D010901161B6F2E7363686D6964686F6665724069746D2D67726F75702E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100C351AC1400BDAF1D52D1728B740CD4E0AD0F42E2755CD059A90CBAA81DC581F9BFC173AFB37EC60C38ABFD2A70186E022FA8CB09C15CFD3790B23732A64CC5DF84CA008F8C43E726DB510B16261B2B1BF22DE0C51C5384692ECF0B32BF87A6A4494DA7B56C48AB4B5A6AC8CBB7CA08E397FB244374DC5C29B5298CF61A898BAF0203010001A36F306D300C0603551D130101FF04023000301D0603551D0E04160414782FB374656A74ADD5C62602968D183BB0A3BE4B300B0603551D0F0404030205E0301106096086480186F8420101040403020640301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D0101050500038181006DD019C6865AB5E05C81ACDCCB30EFCED6C49A551C8A62783A24F4DA09FF19AF03581A80A8BB450F1EDC1C6E4E81857C548E71D5F672B24FFD730FC837819E50E6929BDB6BAB90ABC29C3CE2AE447EFD90C9522239B2E90142849B06A245158F928737527F54464C769F42E74F0185E04F57C7D8DDCEF1E9C175C2D5E9BEF32E000000841ABDA8D5FC16B060CFDAF2CDD3D8BC0A124793FD9295845AD7974FBCEA58A2F8CE74D81FBCDE3F189687970720728FD802BA6DFC706590A1AA89A020EB6C2FA15228F50CFAF7163ACFDFAE59275E489F1EAB1B46A202717D65D068F9D4E3636DC5D5F0CD4212C652EDB9E3C8A4ECB6046DEB62AF0ED5491B303CCF8A15057623 2013-05-14 16:28:32 ike 0:Remote:13: port change 500 -> 4500 2013-05-14 16:28:32 ike 0:Remote:13: out D94DD2DED8EF755B14DB97B7EDDD963A05100201000000000000044C8363AE7A96A816C055884C24A6AD2D21112581C32949AE0DD5DD9C06E11B4B3EA2338937F42BD93E6BDA905AEB215A57CE66F4AF15334D7BAC1E5B2691EDA6A7AA1F17FCE2D6D54D9E3338A761DE7D250AC078FD31CB2BB5CEC2B74FBC56870BF0AB28A10E2D3C79343AD2842CBDA7C08D6AC9AC486F42A3A2505067447FFF048504F5B15DED5A19DB5561349F9D9EFCE84954A18C7AF1A24D739EAC389113C82E0D047A4061857E5B118769368DAFE01CB2CA9FB0242F0131454D163A184BA6206DADE2C617510055F77C6B404B93C2B597FEC960DE7E998F458F7A0B9E93AB6953030F2AC2A814D5A502F1D7A5CBAD92AAC91B8CDD7BA223FCFA767B5DD93DA95A047464EB0D1A8C3970812382D9FDAB03CA8B3308FFE415D995328E50AADCAA8FEF1228A907297BDA5C41C651D2B195D2DD523B486500D95BF9B1CA29FC1D4AD1344BA3DC6B2EEDAE47D610F2D179BEF9D13967D0A86C817503CFF74D583FBBC238C99AE1C4F1D738F253C120EDE834065190BFEB27918C0602C81399852E4A33C1FF6B9805333FCB914565354817CBC5D29B4E4A54003768168022B20C36AD96782BD432EB4AF85C4BF1EBC983F981EB6DBAD55E9AE8523C58AE02F4A93FDCF725F483335229D5083EDAF9423105AC6476D0F4E822EC9ADB5FE3C4DFB66AD437D50C1913AD3EE784596CF8CDA98C8E298D4F104A0B8B133082A1CAA47576D3D37BD5E81073007A90BDB77D35423D9722E794F5F422CA83E374289EC8E6DA26EC95F4F644E4653AC764F3C15556EBAB4381B73A4144A51E4242481C6EE1DC6A33228B4C1C92E0389DE17C52B1D17B11968FD198E5B3D3F271D7E8401B1F594FCFE11E8CA45CACDCE32A29E3D1422296A246738F515D86AB1717FC3EE70D2BFCF93C05943A65316283F84C4CFD63BFA60D8F43B6C0CB80A0D5F86762287662EAC452571725C45695A220E7CD0228ADACA93F80BEABAC440551B81A636A70239009FED6B634E74F7EBB3F40596BCDEFC2EB32B5CE8B42ACF31C194F85B2F12FA542F9050E56EF2E71EDFC6B17D08DE3B1CCE1F837DA10B55D9256BED72A2ED2FBDB0913D601F3102076E5BF8ADFE059DBA7A2C3A2F448E193207645FD4549D10299B426B3B3B62395D5DC3A7E3C43089884C7ACF104CD46F98E78A6309E5F25ABCEB58C8909DD8E1367716440543C6E9E4CAA1ACB5A898ED50CBD74C7D75B8298DEDB0D51DE65B5BAE9275425C1A4C1053DE78A16E495F1033090EAE6F20887066843A68A168769911E6B5DEEB9C07AEE75D4CACF6A3C61FA1B6F513E610A0290B8603D94EB960BB4E644FE9CCDB60DA072CEEBD0375CECCBB0AAE8158A0A892BC2917DD0B0B48C1C5D97C89208FC4057B2A8BFD9E5C1466C4906307E672AD64720030860780F263C3D2E5967AB5358EE84A1A07D5519A29CEF600EB19F283FA364B8570E638E47A9C033E0704E6EEF1EBD7BC40E85E5F0104ADB5EB890BE775496BB141AAB9BBE38AC1C36CEB80312 2013-05-14 16:28:32 ike 0:Remote:13: sent IKE msg (ident_r3send): 62.72.87.100:4500->92.79.191.198:4500, len=1100, id=d94dd2ded8ef755b/14db97b7eddd963a 2013-05-14 16:28:32 ike 0:Remote:13: established IKE SA d94dd2ded8ef755b/14db97b7eddd963a 2013-05-14 16:28:32 ike 0:Remote: adding new dynamic tunnel for 92.79.191.198:4500 2013-05-14 16:28:32 ike 0:Remote_0: added new dynamic tunnel for 92.79.191.198:4500 2013-05-14 16:28:32 ike 0:Remote_0: add connected route 169.254.1.1 -> 169.254.1.1 2013-05-14 16:28:32 ike 0:Remote_0: add connected route 36.169.254.1 -> 1.169.254.1 failed 1 2013-05-14 16:28:32 ike 0:Remote_0:13: processing INITIAL-CONTACT 2013-05-14 16:28:32 ike 0:Remote_0: flushing 2013-05-14 16:28:32 ike 0:Remote_0: flushed 2013-05-14 16:28:32 ike 0:Remote_0:13: processed INITIAL-CONTACT 2013-05-14 16:28:32 ike 0:Remote_0:13: no pending Quick-Mode negotiations 2013-05-14 16:28:32 ike 0: comes 92.79.191.198:4500->62.72.87.100:4500,ifindex=4.... 2013-05-14 16:28:32 ike 0: IKEv1 exchange=Informational id=d94dd2ded8ef755b/14db97b7eddd963a:c512b06d len=68 2013-05-14 16:28:32 ike 0: in D94DD2DED8EF755B14DB97B7EDDD963A08100501C512B06D000000443B17D690C88A785539788D68443CA0DA62E391BB81517C424F4AE3C63F25514FFC3811C6474D31D6 2013-05-14 16:28:32 ike 0:Remote_0:13: dec D94DD2DED8EF755B14DB97B7EDDD963A08100501C512B06D00000044F4F78AB517052D66E513928460EE55302E43A158668850130000000C0000000101000016B3CDCF03 2013-05-14 16:28:34 ike shrank heap by 114688 bytes 2013-05-14 16:28:35 ike 0: comes 92.79.191.198:4500->62.72.87.100:4500,ifindex=4.... 2013-05-14 16:28:37 ike 0:Remote_0: link is idle 4 62.72.87.100->92.79.191.198:4500 dpd=1 seqno=1 2013-05-14 16:28:37 ike 0:Remote_0:13: send IKEv1 DPD probe, seqno 1 2013-05-14 16:28:37 ike 0:Remote_0:13: enc D94DD2DED8EF755B14DB97B7EDDD963A08100501F4BDEADC000000540B0000183831885B4F59607E40DEA891697F7A0ED69EEB0F000000200000000101108D28D94DD2DED8EF755B14DB97B7EDDD963A00000001 2013-05-14 16:28:37 ike 0:Remote_0:13: out D94DD2DED8EF755B14DB97B7EDDD963A08100501F4BDEADC0000005CD6199573F03A4DC00A108E3B710EDFF99081711178A3F8BFC715E9D3FC268AAEBEC68A1872A3A6807476E18B96D0A694C23D166DBD04DB9F8DFBF898D8E4C0D8 2013-05-14 16:28:37 ike 0:Remote_0:13: sent IKE msg (R-U-THERE): 62.72.87.100:4500->92.79.191.198:4500, len=92, id=d94dd2ded8ef755b/14db97b7eddd963a:f4bdeadc 2013-05-14 16:28:38 ike 0: comes 92.79.191.198:4500->62.72.87.100:4500,ifindex=4.... 2013-05-14 16:28:41 ike 0: comes 92.79.191.198:4500->62.72.87.100:4500,ifindex=4.... 2013-05-14 16:28:42 ike 0:Remote_0: link is idle 4 62.72.87.100->92.79.191.198:4500 dpd=1 seqno=1 2013-05-14 16:28:42 ike 0:Remote_0:13: send IKEv1 DPD probe, seqno 1 2013-05-14 16:28:42 ike 0:Remote_0:13: enc D94DD2DED8EF755B14DB97B7EDDD963A08100501EE452BEF000000540B000018393630C81F4B4DA5E087BF2BC9A48E326986717A000000200000000101108D28D94DD2DED8EF755B14DB97B7EDDD963A00000001 2013-05-14 16:28:42 ike 0:Remote_0:13: out D94DD2DED8EF755B14DB97B7EDDD963A08100501EE452BEF0000005C6E68EFC2A83021B1F49783E78C89232FCEEEE056984775A6833FE2000E86FD7D442A212647299FF9CC718A3619E95650319FF232D4BE645941CF5FBFF91FD56B 2013-05-14 16:28:42 ike 0:Remote_0:13: sent IKE msg (R-U-THERE): 62.72.87.100:4500->92.79.191.198:4500, len=92, id=d94dd2ded8ef755b/14db97b7eddd963a:ee452bef 2013-05-14 16:28:47 ike 0:Remote_0: link is idle 4 62.72.87.100->92.79.191.198:4500 dpd=1 seqno=1 2013-05-14 16:28:47 ike 0:Remote_0:13: send IKEv1 DPD probe, seqno 1 2013-05-14 16:28:47 ike 0:Remote_0:13: enc D94DD2DED8EF755B14DB97B7EDDD963A081005014079F279000000540B000018E2EB2B9A157978F28D4A7599BA0997DAF1688C09000000200000000101108D28D94DD2DED8EF755B14DB97B7EDDD963A00000001 2013-05-14 16:28:47 ike 0:Remote_0:13: out D94DD2DED8EF755B14DB97B7EDDD963A081005014079F2790000005CA506E34398C8611EB58F770721C496E954EED3CC47224EE911381D0E8287D74E67DB07AE66226E55B08C59580826B7138054060497D2E4517ED7066B1D8457CB 2013-05-14 16:28:47 ike 0:Remote_0:13: sent IKE msg (R-U-THERE): 62.72.87.100:4500->92.79.191.198:4500, len=92, id=d94dd2ded8ef755b/14db97b7eddd963a:4079f279 2013-05-14 16:28:52 ike 0:Remote_0: link fail 4 62.72.87.100->92.79.191.198:4500 dpd=1 2013-05-14 16:28:52 ike 0:Remote_0: link down 4 62.72.87.100->92.79.191.198:4500 2013-05-14 16:28:52 ike 0:Remote_0: deleting 2013-05-14 16:28:52 ike 0:Remote_0: flushing 2013-05-14 16:28:52 ike 0:Remote_0: sending SNMP tunnel DOWN trap 2013-05-14 16:28:52 ike 0:Remote_0: flushed As you can see the Certificates are accepted. I can' t see why this does not go any further. In the PSK Log it looks also the same, except that it start after the " no pending Quick-Mode negotiations" the Setup for the config-mode. Does anyone have a hint for me? Or a Link for a PDF from Fortinet which describes such a Setup. By the Way does anyone know if the Forticlient will be changed in the Future so that you can configured it without the VPNEditor? Best Regards Oliver
3 REPLIES 3
Chris_Lin_FTNT

Did you configure this IPSec VPN from XML config file? Are you sure XAuth is disabled in XML config?
Anne
New Contributor III

Hi there, I am getting exactly the same errors. Did you fix this issue?? Can you please advise what needs to be done Thanls Anne
Chris_Lin_FTNT

Maybe you configured FortiClient to use XAuth, but FGT was configured not to use XAuth. Because FortiClient uses aggressive mode by default, you need to configure main mode from XML. Here is part of my FortiClient config: <connection> <name>main_cert143</name> <type>manual</type> <ike_settings> <prompt_certificate>0</prompt_certificate> <server>172.17.61.143</server> <authentication_method>System Store X509 Certificate</authentication_method> <auth_key>Enc 5190b056bfd8dcc46ef33a8a8c9cfa6125246a54773fff15a4e9389c167e3b3e58efb9734601c5b241deb17d527c7182aa5c0e38b0e3cb6537426a51830cb3e1</auth_key> <mode>main</mode> <dhgroup>5;</dhgroup> <key_life>28800</key_life> <localid /> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <nat_alive_freq>5</nat_alive_freq> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <enable_ike_fragmentation>0</enable_ike_fragmentation> <xauth> <enabled>0</enabled> <prompt_username>0</prompt_username> <username>Enc f4d63eb736021e50f926d3c0f42df5ed0b12660adb2067ee</username> <password /> </xauth> <proposals> <proposal>3DES|MD5</proposal> <proposal>3DES|SHA1</proposal> <proposal>AES128|MD5</proposal> <proposal>AES128|SHA1</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>1800</key_life_seconds> <key_life_Kbytes>5120</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <autokey_keep_alive>0</autokey_keep_alive> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>3DES|MD5</proposal> <proposal>3DES|SHA1</proposal> <proposal>AES128|MD5</proposal> <proposal>AES128|SHA1</proposal> </proposals> </ipsec_settings> <on_connect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below. One line per command, just like a regular batch script file. The script will be executed in the context of the user that connected the tunnel. Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel. Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel. Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present. --> <script> <![CDATA[]]> </script> </script> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below. One line per command, just like a regular batch script file. The script will be executed in the context of the user that connected the tunnel. Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel. Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel. Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present. --> <script> <![CDATA[]]> </script> </script> </script> </on_disconnect> </connection> Here is my corresponding FortiGate config: config vpn ipsec phase1-interface edit " 5_0_cert_main" set type dynamic set interface " port16" set ip-version 4 set local-gw 0.0.0.0 set nattraversal enable set dhgrp 5 set keylife 28800 set authmethod rsa-signature set peertype peergrp set xauthtype disable set mode main set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set localid ' ' set localid-type auto set negotiate-timeout 30 set dpd enable set forticlient-enforcement disable set rsa-certificate " 143_ipsec" set default-gw 0.0.0.0 set default-gw-priority 0 set peergrp " cert_gp" set assign-ip enable set mode-cfg-ip-version 4 set assign-ip-from range set add-route enable set ipv4-start-ip 192.252.252.200 set ipv4-end-ip 192.252.252.209 set ipv4-netmask 255.255.255.0 set dns-mode auto set ipv4-wins-server1 0.0.0.0 set ipv4-wins-server2 0.0.0.0 set ipv4-split-include ' ' set unity-support enable set domain ' ' set banner ' ' set keepalive 10 set distance 1 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit " 5_0_cert_main" set dst-addr-type subnet set dst-port 0 set encapsulation tunnel-mode set keepalive disable set keylife-type seconds set pfs enable set phase1name " 5_0_cert_main" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set route-overlap use-new set single-source disable set src-addr-type subnet set src-port 0 set dhgrp 5 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next end