Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbaig86
New Contributor

IPSec VPN works only from certain geographical location

Hi,

 

I have a IPSec VPN setup with our FGT 60 device. It works fine for one country and doesn't connect from other. I haven't applied any geo restrictions on the device and wondering what could be the reason for such behavior.

 

Attached is VPN setup config and interface settings. There no address object setting for the interface.

 

Note:

1.I am able to ping public IP successfully from both locations.

2.I am using public IP directly as gateway and there is no name resolution involved.

 

Any suggestions and advice is appreciated!

 

Thanks,

Mirza 

1 Solution
boneyard
Valued Contributor

looks that way, the clients doesn't receive the reply? you could check that with Wireshark or such.

 

you could also have a look at SSLVPN based on SSL and not IPsec.

View solution in original post

3 REPLIES 3
boneyard
Valued Contributor

does the VPN traffic reach the firewall at all? that would be my first check.

 

if it does is it perhaps changed? can you compare working with not working?

 

 

mbaig86

Thanks for the suggestion.

 

I did a debug and following is output. Something seems to be blocked at client side i guess.

 

ike 0::1066: peer identifier IPV4_ADDR 192.168.1.6 ike 0: IKEv1 Aggressive, comes 41.232.222.137:500->x.x.x.x 5 ike 0:3750eba12e5ca83d/0000000000000000:1066: negotiation result ike 0:3750eba12e5ca83d/0000000000000000:1066: proposal id = 1: ike 0:3750eba12e5ca83d/0000000000000000:1066: protocol id = ISAKMP: ike 0:3750eba12e5ca83d/0000000000000000:1066: trans_id = KEY_IKE. ike 0:3750eba12e5ca83d/0000000000000000:1066: encapsulation = IKE/none ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:3750eba12e5ca83d/0000000000000000:1066: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:3750eba12e5ca83d/0000000000000000:1066: type=OAKLEY_GROUP, val=MODP1536. ike 0:3750eba12e5ca83d/0000000000000000:1066: ISAKMP SA lifetime=86400 ike 0:3750eba12e5ca83d/0000000000000000:1066: SA proposal chosen, matched gateway ABC ike 0:ABC: created connection: 0x53a13e8 5 x.x.x.x->41.232.222.137:500. ike 0:ABC: HA L3 state 1/0 ike 0:ABC:1066: DPD negotiated ike 0:ABC:1066: XAUTHv6 negotiated ike 0:ABC:1066: peer supports UNITY ike 0:ABC:1066: enable FortiClient license check ike 0:ABC:1066: enable FortiClient endpoint compliance check, use 169.254.1.1 ike 0:ABC:1066: selected NAT-T version: RFC 3947 ike 0:ABC:1066: cookie 3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: ISAKMP SA 3750eba12e5ca83d/1019f5d2499829a8 key 32:31A2F3B5EA70hshdsg3EDF059232D5 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (agg_r1send): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: out 3750EBA12E5CA83D1019F5D2499829A801100400000000000000022C0400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050A0000C4A399892E3D320125C10EFC3A966DC9A10A38888CB0F6EFD0C87A8CA275D69BB1B937B93E2480904DEBE93AAC08F35CAD12865D6C3883F2A1318BF4292ED660DD52DEE8D3B8711A73596A1ADCC36FD0FFC0CDD9A1780BBB1B082A3264904EBA4B2A5D4D61DD833A689834AA60A387DA67FED913242D5297E755E94AAEB082652B2390EB4A1EAABE64B541CDC84E45EC2EA23DB92BF43F8DAB00EBBD44B5062595157A332AC9D3AF97CC5A0F7517BFB55B13F1E2FA09D5BAE74883276F66F57CEA05000014464C763163EDC732886F6CEF5F7FBACF0800000C0100000025E0483B0D000024A5D64DB65A73AAC4E947709931B1DD54DA90B07DA853601E1213CF53F5FE05C9140000144A131C81070358455C5728F20E95452F1400002425AD90C9846D56CD294B6E59E252218EE776251611F591037FF8A84CFD2BA7770D0000240D90312C3853877D336E8E9295DBA7E86E2EA781E0E7388357928D5B6EEBEFC70D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF0D000014B4F01CA951E9DA8D0BAFBBD34AD3044E000000148299031757Aratwartrjgjwe ike 0:ABC:1066: sent IKE msg (P1_RETRANSMIT): x.x.x.x:500->41.232.222.137:500, len=556, id=3750eba12e5ca83d/1019f5d2499829a8 ike 0:ABC:1066: negotiation timeout, deleting ike 0:ABC: connection expiring due to phase1 down ike 0:ABC: deleting ike 0:ABC: deleted

boneyard
Valued Contributor

looks that way, the clients doesn't receive the reply? you could check that with Wireshark or such.

 

you could also have a look at SSLVPN based on SSL and not IPsec.

Labels
Top Kudoed Authors