Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL router

InventX · ‎02-15-2017

I use the Fortigate60E as firewall and router behind a DSL modem. The FGT is connected to the DMZ port of the DSL modem (FritzBox 7360). I'm able to log in to the FritzBox on port 442, and the management port of the FGT is HTTPS: 444. I'm also able to login to the FGT from a remote desktop. The Physical settup is: Internet (public IP) <--> Frtizbox (192.168.1.1) <--> (192.168.1.20) Fortigate 60E <--> (192.168.2.1/24) Lan Clients. The Lan Clients is on port 2 (as Interface, not as LAN port).

port 2 (internal1) has static IP adress 192.168.2.1 with DHCP Server (s.i.p: 192.168.2.10, e.i.p: 192.168.2.254) no Secondary IP Address. The wan1 interface has addressing mode: DHCP (from FritzBox, which assigns static IP address: 192.168.1.20) with Acquired DNS 192.168.1.1 and Default Gateway: 192.168.1.1 (= FritzBox LAN port 1). Retrieve default gateway from server is on and Override internal DNS is also on.

I'm also able to port forward VOIP settings to a local PBX server and WebDav ports to a NAS in the local network. When I create a IPSec tunnel with the IPSec Wizard and choose for Remote Access and Windows Native, and fill in all settings:

2) Incoming Interface: Wan1 (192.168.1.20), Pre-shared key, User Group (VPN-Users)

3) Local interface: Lan-Clients (192.168.2.1/24), Local Address: all, Client Address Range: 10.10.100.1-10.10.100.100, Subnet Mask: 255.255.255.255

When I try to connect from remote Client I see the tunnel is coming up, but the VPN Events only are showing negotiate failures on the IPSec phase 1 connector.

What should I do to make this work?? I've spend days searching the Forti Cookbook and forums and Youtube video's, but it won't work..

Please help!

InventX · ‎02-23-2017

This is the Phase 2 error:

InventX · ‎02-23-2017

And also this phase 2 error:

InventX · ‎02-23-2017

And the VPN debug shows this:

InventX · ‎02-23-2017

I'm sorry, the previous VPN debug isn't readable. This picture is a bit better to read.

I hope you can find something in it, what points to the problem...

On the remote laptop I get the error:

The network connection between your computer and the VPN server could not be established because the remote server is not responding. etc.

Thank you.

Leander.

jnliu_FTNT · ‎02-23-2017

Phase2 negotiation is OK, but SA deleted by windows.

Please post the output of "d debug application l2tp -1"

InventX · ‎02-23-2017

Hi Jining,

I'm sorry, but when I enter d debug application l2tp -1 in the CLI nothing happens.

Also when I try to connect the VPN, I see on the IPSec monitor the VPN tunnel is coming up for ~34 seconds, Incoming Data is 1.06 kB and then the tunnel is shut down.

How can I get som output of the debug?

Thank you so much for your support!

Leander.

jnliu_FTNT · ‎02-23-2017

If you don't login from console, please type "d debug enable" first.

InventX · ‎02-23-2017

Ok, this is the output:

jnliu_FTNT · ‎02-23-2017

There is no useful l2tp debug info.

Please check windows l2tp and firewall config.

InventX · ‎02-23-2017

I've disabled all firewalls on the remote laptop, and the l2tp service is running. From the same laptop I can connect a L2TP-IPSec VPN tunnel to another FGT (60D) which is connected directly to Internet with PPPoE.

What should I check further? Can it be a wrong setting in the FGT?