Hot!Cookbook's IPsec VPN with FortiClient does not work - how to find out why

Author
nit_mws
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/03 01:21:50
  • Location: Vienna, Austria (Europe)
  • Status: offline
2019/07/06 09:51:44 (permalink)
0

Cookbook's IPsec VPN with FortiClient does not work - how to find out why

I should setup a dialup VPN from my Windows 10 laptop to my office's FortiGate 30E. As first tries based on the FortiOS Handbook didn't work I followed the FortiOS 6.0 Cookbook recipe "IPsec VPN with FortiClient" (https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient) and implemented it with adjustment of the local lan network addresses (firewall address) only. On my laptop I installed the free FortiClient 6.0.7 and set it up as advised by the Cookbook.
But I had no success, no log entry in VPN Events of my FortiGate and this was the log of my FortiClient:
06.07.2019 18:15:21    Information    VPN    id=96602 msg="SSLVPN service started successfully." vpntype=ssl
06.07.2019 18:17:20    Information    VPN    id=96566 msg="negotiation information, loc_ip=192.168.128.61 loc_port=500
rem_ip=(public IP addr of my FortiGate) rem_port=500 out_if=0 vpn_tunnel=NITvie FCT-VPN1 action=negotiate init=local mode=aggressive stage=1
dir=outbound status=success Initiator: sent (public IP addr of my FortiGate) aggressive mode me" vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:17:32    Warning    VPN    id=96561 msg="locip=192.168.128.61 locport=500 remip=(public IP addr of my FortiGate)
remport=500 outif=0 vpntunnel=NITvie FCT-VPN1 status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..."
vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:18:27    Information    VPN    id=96566 msg="negotiation information, loc_ip=172.20.10.2 loc_port=500 rem_ip=(public IP addr of my FortiGate)
rem_port=500 out_if=0 vpn_tunnel=NITvie FCT-VPN1 action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success
Initiator: sent (public IP addr of my FortiGate) aggressive mode messa" vpntunnel="NITvie FCT-VPN1" vpntype=ipsec
06.07.2019 18:18:39    Warning    VPN    id=96561 msg="locip=172.20.10.2 locport=500 remip=(public IP addr of my FortiGate)
remport=500 outif=0 vpntunnel=NITvie FCT-VPN1 status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..."
vpntunnel="NITvie FCT-VPN1" vpntype=ipsec

- the public IP address of my FortiGate was correct
 
- it looks like the SSLVPN service of the FortiClient tried to connect to the FortiGate
- but already this action looks like it was not successful
- in a second round an IKE1 negotiation was started, also with no success as the FortiGate did not respond.
(As in previous tries with guidelines from the FortiOS Hanbook I was able to establish a successful IKE1 negotiation the basic setup of the FortiGate looks ok.)
 
As the log of VPN events is very lean in general I got no hint from the FortiGate what needs to be fixed.
 
Any hints what I should investigate?
 
Thanks,
Michael
 
 
 
 
#1
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: Cookbook's IPsec VPN with FortiClient does not work - how to find out why 2019/07/06 12:03:07 (permalink)
0
Do you try to setup SSL or IPsec VPN? FortiClient supports both of them.
#2
nit_mws
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/03 01:21:50
  • Location: Vienna, Austria (Europe)
  • Status: offline
Re: Cookbook's IPsec VPN with FortiClient does not work - how to find out why 2019/07/06 13:53:45 (permalink)
0
I've set up an IPsec tunnel, but the documentation about the FortiClient tells that it is able to download a setup for the phase 1 and phase 2 negotiation by a SSLVPN connection if an XAUTH user(group) is defined. But this is only for the setup of the prerequisites for the IPsec negotiations.
#3
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: Cookbook's IPsec VPN with FortiClient does not work - how to find out why 2019/07/07 05:07:38 (permalink)
0
I've never tested the auto client configuration but manual always worked:

https://help.fortinet.com...Overview.htm#Configur3
#4
nit_mws
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/03 01:21:50
  • Location: Vienna, Austria (Europe)
  • Status: offline
Re: Cookbook's IPsec VPN with FortiClient does not work - how to find out why 2019/07/07 08:37:56 (permalink)
0
I came back my first trials based on the guidelines in the FortiOS Handbook (6.0) and after refining and correcting details it finally worked. And it worked only with VPN client software on my laptop different from the FortiClient. Even the FortiGate setup working with this other software did not work with the FortiClient.
Unfortunately some details of the FortiOS 6.0.4 web user interface can only be solved by trial and error, no explanation in the Handbook, that was the main reason for looking into the Cookbook.
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5