- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- iOS VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
iOS VPN
Hi,
Im trying to setup a Fortigate 60D I have at home for VPN access from my iPhone.
Initially I went through the iOS Native VPN wizard, which didn't work, mainly I think because of the DH Group 14 issue.
So, I went through the cookbook guide and started fresh, again with the iOS Native and then once all that was completed, converted to Custom Tunnel and changed the DH group to 14 on Phase 1.
At this point I was getting negotiation errors, and I followed the information on https://cookbook.fortinet.com/ipsec-vpn-troubleshooting/ as I was seeing "SA Proposals Do Not Match" in the log.
Eventually I had to change the algorithms to AES256-SHA256 before getting past the proposal stage. Now, I'm still receiving the same"Negotiation with the VPN server failed." message on the iOS device, but using the debug diag in the CLI I can see that negotiation is successful as is the XAuth.
However, beyond this, from my very limited knowledge of router CLI and debug info, it looks like the router thinks the iPhone is not responding to messages and disconnects it, at which point the phone indicates the above error.
The console debug diag looks like this.... (I've replaced the client IP with 123.123.123.123 and the router IP with 789.789.789.789).
Can anyone help me with the missing piece to get the VPN working?
Thanks
Barry
FGT60D4Q16093130 $ diag debug app ike -1
FGT60D4Q16093130 $ diag debug enable
FGT60D4Q16093130 $ ike 0: comes 123.123.123.123:47460->789.789.789.789:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=8ce6c0fd96f368dd/0000000000000000 len=848
ike 0: in 8CE6C0FD96F368DD00000000000000000110020000000000000003500D0002200000000100000001000002140101000F0300002401010000800B0001800C0E1080010007800E01008003FDE9800200048004000E0300002402010000800B0001800C0E1080010007800E01008003FDE9800200028004000E0300002403010000800B0001800C0E1080010007800E01008003FDE9800200018004000E0300002404010000800B0001800C0E1080010007800E01008003FDE9800200068004000E0300002405010000800B0001800C0E1080010007800E01008003FDE980020004800400050300002406010000800B0001800C0E1080010007800E01008003FDE980020002800400050300002407010000800B0001800C0E1080010007800E01008003FDE980020001800400050300002408010000800B0001800C0E1080010007800E01008003FDE980020002800400020300002409010000800B0001800C0E1080010007800E01008003FDE98002000180040002030000240A010000800B0001800C0E1080010007800E00808003FDE98002000280040002030000240B010000800B0001800C0E1080010007800E00808003FDE98002000180040002030000200C010000800B0001800C0E10800100058003FDE98002000280040002030000200D010000800B0001800C0E10800100058003FDE98002000180040002030000200E010000800B0001800C0E10800100018003FDE98002000280040002000000200F010000800B0001800C0E10800100018003FDE980020001800400020D0000144A131C81070358455C5728F20E95452F0D0000144DF37928E9FC4FD1B3262170D515C6620D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC01000D0000184048B7D56EBCE88525E7DE7F00D6C2D38000000000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:8ce6c0fd96f368dd/0000000000000000:31: responder: main mode get 1st message...
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:8ce6c0fd96f368dd/0000000000000000:31: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:8ce6c0fd96f368dd/0000000000000000:31: negotiation result
ike 0:8ce6c0fd96f368dd/0000000000000000:31: proposal id = 1:
ike 0:8ce6c0fd96f368dd/0000000000000000:31: protocol id = ISAKMP:
ike 0:8ce6c0fd96f368dd/0000000000000000:31: trans_id = KEY_IKE.
ike 0:8ce6c0fd96f368dd/0000000000000000:31: encapsulation = IKE/none
ike 0:8ce6c0fd96f368dd/0000000000000000:31: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:8ce6c0fd96f368dd/0000000000000000:31: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:8ce6c0fd96f368dd/0000000000000000:31: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:8ce6c0fd96f368dd/0000000000000000:31: type=OAKLEY_GROUP, val=MODP2048.
ike 0:8ce6c0fd96f368dd/0000000000000000:31: ISAKMP SA lifetime=86400
ike 0:8ce6c0fd96f368dd/0000000000000000:31: SA proposal chosen, matched gateway iOS VPN
ike 0:iOS VPN:31: DPD negotiated
ike 0:iOS VPN:31: XAUTHv6 negotiated
ike 0:iOS VPN:31: peer supports UNITY
ike 0:iOS VPN:31: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04
ike 0:iOS VPN:31: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05
ike 0:iOS VPN:31: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06
ike 0:iOS VPN:31: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 0:iOS VPN:31: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08
ike 0:iOS VPN:31: selected NAT-T version: RFC 3947
ike 0:iOS VPN:31: cookie 8ce6c0fd96f368dd/01b558b471a983ef
ike 0:iOS VPN:31: out 8CE6C0FD96F368DD01B558B471A983EF0110020000000000000000DC0D00003800000001000000010000002C010100010000002401010000800B0001800C0E1080010007800E01008003FDE9800200048004000E0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000148299031757A36082C6A621DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:iOS VPN:31: sent IKE msg (ident_r1send): 789.789.789.789:500->123.123.123.123:47460, len=220, id=8ce6c0fd96f368dd/01b558b471a983ef
ike 0: comes 123.123.123.123:47460->789.789.789.789:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=8ce6c0fd96f368dd/01b558b471a983ef len=380
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF04100200000000000000017C0A000104D45065ED36B65AFA4275FD3977AC0687A2686A57A1B5862EC11B0081D628841D3D622BDDC1F027440BBA352A763D60915F6151D6D7054CF5BFDFCBAC4EB972C7DF6AFF18DB83A9506E7ED09EFB4EF1A986F44EAEB467005C3EACBDB7EB1F21D4760188D5887C6EE8E308E48BCAC14B7E1D7E05927F9011C54BCEBCDC7E585A5F7F012A6227AFE77472142FDE77D0C075FA112B3D0C516DE8573C92A4D25898A40A876FE3C6B6879CBAB466AEE5A7672E5A63AD88B1DB90F7E4EE0982D7F1463F109E072B68F3AF3E9A0D5093827BA6DAA8828BA756EE608763233D4F6E49FB10E7506D5F72CEEACFCF24FC7FCC9B0F04FB09580DB13494E46A452807F9811D411400001454ED13571818B535046924399CCD789214000024FAE13B7643D4DA1393CFD58AE3D2FAA418DCFEC14CF17D5BB2D73F406F45D5420000002497825EFFEE8840C0E9724EB718C56DE519DBF8B8CFD0950C66ADCD6A7C599892
ike 0:iOS VPN:31: responder:main mode get 2nd message...
ike 0:iOS VPN:31: NAT detected: ME PEER
ike 0:iOS VPN:31: out 8CE6C0FD96F368DD01B558B471A983EF04100200000000000000017C0A000104F699FAA48131FC4A65B3FDF911D7AF445F5511E8F4E3883E34ADBD99D981FD891547D58DB56CAAF91B3E02E8F46F909535E2876840A93FD3D1BB2A2696D9CCACB49D806EE6DAA750F710A0E61E2A9E1024459483A7A25D801D341B4797123239091C77902D8C273B72090B7A06EFE4FE3C2D3A6153F06AC20E2C534E4CC592128ABA7A3D1DA7E4F6CAEA32B6F83B665978356849A7D166F3090C5308CC8D1A07AA7503331F33450A91663B4061DDC82152B67AA2A22F801354CB9668F5E08B00BA32B4D5759D944FDD51BB6B03842EDE4F423E28BC9FD21B05935D9B72412109276574426BC1641BCAAC4E865DA471F3C8AC0EA55A08979BEAB16DD0D6FCA04E14000014731021E32EDC639E5638778AE14596171400002435109D9A61F53EF85C560A0E1739499B6ED66EC811039843AFD581657D49C0A6000000243B783B8490C972926F66FBECA3A59E429B53036777D502660165F5AADD1095AF
ike 0:iOS VPN:31: sent IKE msg (ident_r2send): 789.789.789.789:500->123.123.123.123:47460, len=380, id=8ce6c0fd96f368dd/01b558b471a983ef
ike 0:iOS VPN:31: ISAKMP SA 8ce6c0fd96f368dd/01b558b471a983ef key 32:C4CC2CEBA142AF7DB9D0E64EB9341F63297B572981A1E4B6CCE455FAAE71B6AC
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=8ce6c0fd96f368dd/01b558b471a983ef len=108
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF05100201000000000000006CAE3A4319401343C45B8EEDD40CA683279CD3C76E5B6E0D518F30FDDE9C1E34558EB91354C9970B8554E57CBA0055F11F317CB8E9BAAB38256890DE573AC25FB9BDA43C3D27E01C9F5F79CDCAB88D60E7
ike 0:iOS VPN:31: responder: main mode get 3rd message...
ike 0:iOS VPN:31: dec 8CE6C0FD96F368DD01B558B471A983EF05100201000000000000006C0800000C011101F4000000000B000024421E0C913E11530B14FA1868AF5324EA4ED927E19185661E1C2A1E5A482362550000001C00000001011060028CE6C0FD96F368DD01B558B471A983EF00000004
ike 0:iOS VPN:31: received p1 notify type INITIAL-CONTACT
ike 0:iOS VPN:31: peer identifier IPV4_ADDR 0.0.0.0
ike 0:iOS VPN:31: PSK authentication succeeded
ike 0:iOS VPN:31: authentication OK
ike 0:iOS VPN:31: enc 8CE6C0FD96F368DD01B558B471A983EF05100201000000000000004C0800000C0100000095FFA99200000024B7CD643DFE9B06695C0F27889AF16D905FBD230F2D81056B5DBD054E4F29ABD5
ike 0:iOS VPN:31: remote port change 47460 -> 20740
ike 0:iOS VPN:31: out 8CE6C0FD96F368DD01B558B471A983EF05100201000000000000005C9149BD4FD7B530BDBA1B55D3E5C78FB1930CCEAC3C40355B7CA46C9A12C2E0DF56C7DF14D1C6DFD0BAB9D7A80FA6CDBC8C66B627876AAB03A32185E0F017ED3A
ike 0:iOS VPN:31: sent IKE msg (ident_r3send): 789.789.789.789:4500->123.123.123.123:20740, len=92, id=8ce6c0fd96f368dd/01b558b471a983ef
ike 0:iOS VPN: adding new dynamic tunnel for 123.123.123.123:20740
ike 0:iOS VPN_0: added new dynamic tunnel for 123.123.123.123:20740
ike 0:iOS VPN_0:31: established IKE SA 8ce6c0fd96f368dd/01b558b471a983ef
ike 0:iOS VPN_0:31: processing INITIAL-CONTACT
ike 0:iOS VPN_0: flushing
ike 0:iOS VPN_0: flushed
ike 0:iOS VPN_0:31: processed INITIAL-CONTACT
ike 0:iOS VPN_0:31: initiating XAUTH.
ike 0:iOS VPN_0:31: sending XAUTH request
ike 0:iOS VPN_0:31: enc 8CE6C0FD96F368DD01B558B471A983EF08100601A6C10DCC000000540E000024393A71AE3A0D3113ABA0ECE72099A5659EDBC1B485CCC0AABD2B45586B7CB93C000000140100033BC088000040890000408A0000
ike 0:iOS VPN_0:31: out 8CE6C0FD96F368DD01B558B471A983EF08100601A6C10DCC0000005C52AEDBF98D33F6CD0A483325F3FD4836F1433FC07BAD1EB0C51439AE27FACC2693AB1704C296A486C2397BC8EA23CDF2C5A56F0276A4B9422E5C7CAC165F105F
ike 0:iOS VPN_0:31: sent IKE msg (cfg_send): 789.789.789.789:4500->123.123.123.123:20740, len=92, id=8ce6c0fd96f368dd/01b558b471a983ef:a6c10dcc
ike 0:iOS VPN_0:31: peer has not completed XAUTH exchange
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=8ce6c0fd96f368dd/01b558b471a983ef:a6c10dcc len=124
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF08100601A6C10DCC0000007C82AB178EA75EA5260336AC7A813C23975070376C15AC63E8F209419AC99EC5FB531318349DF481695716CCC2383E8610D47FECF6DE0DCAD3424C80FF5485D94FBD675B5FD6D7DDE6248C29DB10593748BC7985F78BB8EB4F37C8A7BA1B3E2D9A
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF08100601A6C10DCC0000007C0E00002441CA20470A90CEFEE36AA499532E276DA30BD1B36E215A65E721AF5DBDD6D76A0000002E020003004089001262617272794062617264656C2E636F2E756B408A000C6D6F6E69746F72617564696F000000000000000000000000000E
ike 0:iOS VPN_0:31: received XAUTH_USER_NAME 'user@domain.com' length 18
ike 0:iOS VPN_0:31: received XAUTH_USER_PASSWORD length 18
ike 0:iOS VPN_0: XAUTH user "user@domain.com"
ike 0:iOS VPN: auth group iOS VPN Users
ike 0:iOS VPN_0: XAUTH succeeded for user "user@domain.com" group "iOS VPN Users"
ike 0:iOS VPN_0:31: enc 8CE6C0FD96F368DD01B558B471A983EF0810060112DB5C5C0000004C0E0000248406437861537B7F7079962A314BA2B0708966FB5FF5556A98E3DE2335BACCDE0000000C03000300C08F0001
ike 0:iOS VPN_0:31: out 8CE6C0FD96F368DD01B558B471A983EF0810060112DB5C5C0000005CC83137E9C3F2B9E11F2ECEA866BB55EF534D29D0781C8681F97C4FA11609072C9F8BC3FC2AF85D64C1657A942A52A300C92F98B4C8260405724DB64F1BDC6A24
ike 0:iOS VPN_0:31: sent IKE msg (cfg_send): 789.789.789.789:4500->123.123.123.123:20740, len=92, id=8ce6c0fd96f368dd/01b558b471a983ef:12db5c5c
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=8ce6c0fd96f368dd/01b558b471a983ef:12db5c5c len=92
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF0810060112DB5C5C0000005C16ECE6C6996365BBD359E66B9A917755785DDB285507021A1F4BB0A457806E021837948B22009910C12AFD8059AADD7CADCEBE792BC82C8C39ACC3D4C1302971
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF0810060112DB5C5C0000005C0E000024768F3CBBAF86283E96FFE5A958DA37399DD32CB8FCCC83AFEF750CE95FDA524B0000000C04000300C08F000000000000000000000000000000000010
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=8ce6c0fd96f368dd/01b558b471a983ef:80e31da3 len=140
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF0810060180E31DA30000008C7D5FB9962730C2DC5D75B12BFDA7948562ED7C76E276BA4403DF1A169274713644B2379A336F0B27F4C9F28660BF5F9A848D15605117FEB2C2C0F2A593A3C3221C8AA837BABA38515E9F2173DC8EEA23E618630396FB413474C8C682401D646DF545640FF01A495F1B36F2AC13FC6BB0
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF0810060180E31DA30000008C0E0000240B9F3F1C975C150084BCE851D7385D8973DD1193279A945F0BFD0F8B8A41F35E00000048010071EF000100000002000000030000000400000005000000070000700000007002000070030000700400007006000070070000700100007008000070090000700B000000000004
ike 0:iOS VPN_0:31: mode-cfg type 1 request 0:''
ike 0:iOS VPN_0:31: mode-cfg using allocated IPv4 10.10.111.100
ike 0:iOS VPN_0:31: mode-cfg type 2 request 0:''
ike 0:iOS VPN_0:31: mode-cfg type 3 request 0:''
ike 0:iOS VPN_0:31: mode-cfg type 4 request 0:''
ike 0:iOS VPN_0:31: mode-cfg WINS ignored, no WINS servers configured
ike 0:iOS VPN_0:31: mode-cfg type 5 request 0:''
ike 0:iOS VPN_0:31: mode-cfg type 7 request 0:''
ike 0:iOS VPN_0:31: mode-cfg type 28672 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28672 requested
ike 0:iOS VPN_0:31: mode-cfg no banner configured, ignoring
ike 0:iOS VPN_0:31: mode-cfg type 28674 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28674 requested
ike 0:iOS VPN_0:31: mode-cfg no domain configured, ignoring
ike 0:iOS VPN_0:31: mode-cfg type 28675 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28675 requested
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28675 not supported, ignoring
ike 0:iOS VPN_0:31: mode-cfg type 28676 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28676 requested
ike 0:iOS VPN_0:31: mode-cfg type 28678 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28678 requested
ike 0:iOS VPN_0:31: mode-cfg type 28679 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28679 requested
ike 0:iOS VPN_0:31: mode-cfg type 28673 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28673 requested
ike 0:iOS VPN_0:31: mode-cfg type 28680 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28680 requested
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28680 not supported, ignoring
ike 0:iOS VPN_0:31: mode-cfg type 28681 request 0:''
ike 0:iOS VPN_0:31: mode-cfg UNITY type 28681 requested
ike 0:iOS VPN_0:31: mode-cfg no backup-gateway configured, ignoring
ike 0:iOS VPN_0:31: mode-cfg type 28683 request 0:''
ike 0:iOS VPN_0:31: mode-cfg attribute type 28683 not supported, ignoring
ike 0:iOS VPN_0:31: mode-cfg assigned (1) IPv4 address 10.10.111.100
ike 0:iOS VPN_0:31: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike 0:iOS VPN_0:31: mode-cfg send (3) IPv4 DNS(1) 8.8.8.8
ike 0:iOS VPN_0:31: mode-cfg send (3) IPv4 DNS(2) 8.8.4.4
ike 0:iOS VPN_0:31: PFS is disabled
ike 0:iOS VPN_0:31: mode-cfg send (28676) IPv4 subnet 0.0.0.0/0.0.0.0 port 0 proto 0
ike 0:iOS VPN_0:31: mode-cfg send APPLICATION_VERSION 'FortiGate-60D v5.2.5,build0701b701,151203 (GA)'
ike 0:iOS VPN_0:31: mode-cfg INTERNAL_ADDRESS_EXPIRY ignored, address does not expire
ike 0:iOS VPN_0:31: include-local-lan is disabled
ike 0:iOS VPN_0:31: client save-password is disabled
ike 0:iOS VPN_0:31: enc 8CE6C0FD96F368DD01B558B471A983EF0810060180E31DA3000000AC0E0000241D89A2926B9DD5B3B5CA04B01B34BC22BD312F9F99BF3655E293CF2E289FFFC30000006C020071EF000100040A0A6F6400020004FFFFFFFF000300040808080800030004080804047004000E00000000000000000000000000000007002E466F727469476174652D3630442076352E322E352C6275696C6430373031623730312C3135313230332028474129
ike 0:iOS VPN_0:31: out 8CE6C0FD96F368DD01B558B471A983EF0810060180E31DA3000000BC900EFD11C637DD803631AFC9C0D937BB2FC49713A4E99E2B51836D7127AF417D8ADA2DF68C132A7025E67BA5878C12DD845CF318A69E907CCC9BC67CBFF5F581EB63839BF35327274562EADBC4FF4BA18F9A6BF911E0239F026A99DB8A9B10F888C0E66E89ECA83FE8E7E16B521FB68F7BB667D1CB21FCAC300CA89EE0901CDE6DB02140EF87CBEA9065479D2647D0DE2BD581F360F496109FACFF797585CC59
ike 0:iOS VPN_0:31: sent IKE msg (cfg_send): 789.789.789.789:4500->123.123.123.123:20740, len=188, id=8ce6c0fd96f368dd/01b558b471a983ef:80e31da3
ike 0:iOS VPN_0: link is idle 5 789.789.789.789->123.123.123.123:20740 dpd=1 seqno=1
ike 0:iOS VPN_0: link is idle 5 789.789.789.789->123.123.123.123:20740 dpd=1 seqno=2
ike 0:iOS VPN_0:31: send IKEv1 DPD probe, seqno 2
ike 0:iOS VPN_0:31: enc 8CE6C0FD96F368DD01B558B471A983EF081005017DCBE75F000000600B0000244C7822E2B12ABCD0F20888F217D7CEDCD2EB9734B931AA42AA1BF9FA869D6CB3000000200000000101108D288CE6C0FD96F368DD01B558B471A983EF00000002
ike 0:iOS VPN_0:31: out 8CE6C0FD96F368DD01B558B471A983EF081005017DCBE75F0000006C2FF49EEC31607E319FED19058EC75BE563F589546E5864A6F9D3546915AFCB51F28B8397C84EE88FF8D6A1191301DC3A03F1D70344B2D8E96043FE256B63046582C1E4133F59B83F90062A4D146F2466
ike 0:iOS VPN_0:31: sent IKE msg (R-U-THERE): 789.789.789.789:4500->123.123.123.123:20740, len=108, id=8ce6c0fd96f368dd/01b558b471a983ef:7dcbe75f
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8ce6c0fd96f368dd/01b558b471a983ef:47d258ad len=108
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF0810050147D258AD0000006CE096EF0BC310EC5D4F38CF634CA9A5DD68607E0AF9E452C32FD077C2F3CA16BB0DBEAE44E3E66979C1A3F6DC0C60E2918AD8F4C2F9A6E91F712EAA3D9FAE3A31EA55DFEDD0B6CEAA447EB7E75A775BDF
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF0810050147D258AD0000006C0B000024AFF9A1F8176D91B45788E31946A72109098FE8ACC3F1F9758A07F8711CDFAB71000000200000000101108D298CE6C0FD96F368DD01B558B471A983EF0000000200000000000000000000000C
ike 0:iOS VPN_0:31: notify msg received: R-U-THERE-ACK
ike 0:iOS VPN_0: link is idle 5 789.789.789.789->123.123.123.123:20740 dpd=1 seqno=3
ike 0:iOS VPN_0:31: send IKEv1 DPD probe, seqno 3
ike 0:iOS VPN_0:31: enc 8CE6C0FD96F368DD01B558B471A983EF08100501EF4FBB0F000000600B000024F79527DDBC087F79B15912CF2552C90138A370D9F74AA05381643D218C595960000000200000000101108D288CE6C0FD96F368DD01B558B471A983EF00000003
ike 0:iOS VPN_0:31: out 8CE6C0FD96F368DD01B558B471A983EF08100501EF4FBB0F0000006CC562FFECBF5F2A60C2340412623FD50DD6B29A78361AA109D5565ABD4F4407E27181BE055BC84F9C226A0A4A89B89707BE79A60B2862D70666BE4487D7BEE50583EF93EA627183AB35685726386558AB
ike 0:iOS VPN_0:31: sent IKE msg (R-U-THERE): 789.789.789.789:4500->123.123.123.123:20740, len=108, id=8ce6c0fd96f368dd/01b558b471a983ef:ef4fbb0f
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8ce6c0fd96f368dd/01b558b471a983ef:968e7f50 len=108
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF08100501968E7F500000006C8626D28AAAB7F375C42C59D196DCBD54395D5BA9136698ACCD1D0E8580E09DFC8643CC06924703BB8DE01C3F5FEBE152FE7013D30BB39C7106CFB9E7D46FF367488CFFE95CD8F105F9EE9E91952F5C98
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF08100501968E7F500000006C0B00002486661F8BB30EB1831F21C22F346E477D6A21FB9F0529027C26EF8DB999FB849C000000200000000101108D298CE6C0FD96F368DD01B558B471A983EF0000000300000000000000000000000C
ike 0:iOS VPN_0:31: notify msg received: R-U-THERE-ACK
ike 0: comes 123.123.123.123:20740->789.789.789.789:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8ce6c0fd96f368dd/01b558b471a983ef:3368cae9 len=108
ike 0: in 8CE6C0FD96F368DD01B558B471A983EF081005013368CAE90000006CB5F916D8A5CE512C1F436D41469B5B78368E4FC1177F805FD43655C6C580D13CF42BEF026F755B420C5BABA38326FF24767B06BE8C18CF6492B48A64631BDC5B34AD9BE1F5813FD4E9583B50B00616A7
ike 0:iOS VPN_0:31: dec 8CE6C0FD96F368DD01B558B471A983EF081005013368CAE90000006C0C000024654A5BC9E7027308BD26ED81236790C4F7954082CAEC0DA0EA9DEE37136FEDDD0000001C00000001011000018CE6C0FD96F368DD01B558B471A983EF00000000000000000000000000000010
ike 0:iOS VPN_0:31: recv ISAKMP SA delete 8ce6c0fd96f368dd/01b558b471a983ef
ike 0:iOS VPN_0: deleting
ike 0:iOS VPN_0: flushing
ike 0:iOS VPN_0: sending SNMP tunnel DOWN trap
ike 0:iOS VPN_0: flushed
ike 0:iOS VPN_0: mode-cfg release 10.10.111.100/255.255.255.255
ike 0:iOS VPN_0: delete dynamic
ike 0:iOS VPN_0: reset NAT-T
ike 0:iOS VPN_0: deleted
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone please?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also went through the cookbook guide but failed to find out whats wrong with your setting an ios vpn on Fortigate 60D.
Did you get anything on it yet or still receiving the same"Negotiation with the VPN server failed." message on the iOS device???
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am receiving essentially the same errors when trying to setup an IPSec VPN. Did you have any luck resolving this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey there
why do you want to use ipsec-vpn on an iPhone? we have many Iphones/Pads that are connecting via ssl vpn.
works like a charm
Regards
sudo apt-get-rekt
sudo apt-get-rekt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We were having an issue where connecting in over the SSL VPN client was not allowing the iPad device to use Microsoft's Remote Desktop Client app. We have since got the IPSec working with the device and able to utilize Remote Desktop Client with it. There was an old posting that the FortiClient SSL VPN on apples iOS would not allow for the RDC to work with it, and our experience confirmed/validated that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
Maby my config can help you out
Here is a sample config that works.
config vpn ipsec phase1-interface edit "iPhone" set type dynamic set interface "wan1" set keylife 28800 set peertype any set net-device enable set mode-cfg enable set proposal aes128-sha1 aes256-sha512 set dpd on-idle set dhgrp 2 set xauthtype auto set reauth enable set authusrgrp "G-iPhone" set ipv4-start-ip 172.31.1.10 set ipv4-end-ip 172.31.1.50 set ipv4-netmask 255.255.255.0 set dns-mode auto set psksecret ENC xxx set distance 1 set dpd-retryinterval 5 next end
config vpn ipsec phase2-interface edit "iPhone-P2" set phase1name "iPhone" set proposal aes128-sha1 aes256-sha256 set dhgrp 2 set keylifeseconds 1800 set dst-subnet 10.10.1.0 255.255.255.0 next
edit "iPhone-P2-Ext" set phase1name "iPhone" set proposal aes128-sha1 aes256-sha256 set dhgrp 2 set keylifeseconds 1800 next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did the issue resolved?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- About Restoring the FortiClient Backup Configuration... 11 Views
- SD-WAN and none interface 17 Views
- Fortigate SSLVPN with DUO MFA -... 26 Views
- Setting Up NAT64 to handle 64:ff9b::... 18 Views
- Can't ping from "Registration IP" to... 37 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,299 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.