Unable to set up FortiGate IPSec remote access Dailup VPN

0
votes

I am trying to set up IPSec Remote Access Dialup User VPN with FortiGate 6.4 trial VM downloaded from Fortinet website. I am trying to make it work with FortiClient 6.0.5. I have done the configurations as per guides and followed some youtube videos for understanding of IPSec as well. I have made sure that my phase 1 and phase 2 configurations on both ends are same. I have two NICs attached to the VM, one assumed to be the local network which needs to be accessed by the clients after VPN tunnel gets established (192.168.137.0/24), and the other assumed to be WAN network which would be accessed by the clients to establish VPN (192.168.10.0/24). The system on which Fortinet client resides is also part of the WAN network (192.168.10.0/24).

I am unable to make the configurations work and stuck. On FortiClient, I get the following error:

"VPN connection failed. Please check your configuration, network connection and pre-shared key then retry you connection. If the problem persists, contact your network administrator for help."

On FortiGate CLI, I get the following logs with debugging enabled:

FortiGate-VM64 # ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=SA_INIT id=a20511ee474b2950/0000000000000000 len=428
ike 0: in A20511EE474B295000000000000000002120220800000000000001AC2200005402000028010100040300000801000002030000080200000203000008030000020000000804000005000000280201000403000008010000020300000802000005030000080300000C0000000804000005280000C800050000C0D448858F6E8C21E68CDCCAA3EE84A229E439A0F49E666E3CD864112868B385B4D1E088332241817EAE9B21D8DED06F97C99DCD6B464B4D57EFCA4248B8D4825D2B7E7E965990297DAD47DCB81DDF8DDA862E45815FA88CE16009533B80B286FE6C84A157889D98708A10FCD7BE8814FD7DBD6270D13472F7C24BDEFD17B59A0107FDC54C0694DE3BAD200AEFC9964D7CBB586B4138E7AA41E871505CEE5E4368393266F2712D18AEF3921D44B85B54221B6DA054EFA5C9866EBFF73076CB302B000014FD962DC50AE8EF7D0B2CF8C65B325CBD2B0000144C53427B6D465D1B337BB755A37A7FEF29000014B4F01CA951E9DA8D0BAFBBD34AD3044E2900001C00004004E0F8879208723CB28770AEDB1A29B0CAE41571420000001C00004005E6BBF6BD24D8BCA3AB795F4A31A54D9EB7327932
ike 0:a20511ee474b2950/0000000000000000:71: responder received SA_INIT msg
ike 0:a20511ee474b2950/0000000000000000:71: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
ike 0:a20511ee474b2950/0000000000000000:71: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_SOURCE_IP
ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:a20511ee474b2950/0000000000000000:71: incoming proposal:
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 2:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: matched proposal id 1
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: lifetime=86400
ike 0:a20511ee474b2950/0000000000000000:71: SA proposal chosen, matched gateway IPSECVPN
ike 0:IPSECVPN: created connection: 0xc59a950 4 192.168.10.5->192.168.10.50:500.
ike 0:IPSECVPN: HA L3 state 1/0
ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:IPSECVPN:71: processing NAT-D payload
ike 0:IPSECVPN:71: NAT not detected
ike 0:IPSECVPN:71: process NAT-D
ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:IPSECVPN:71: processing NAT-D payload
ike 0:IPSECVPN:71: NAT not detected
ike 0:IPSECVPN:71: process NAT-D
ike 0:IPSECVPN:71: enable FortiClient endpoint compliance check, use 10.10.10.10
ike 0:IPSECVPN:71: responder preparing SA_INIT msg
ike 0:IPSECVPN:71: out A20511EE474B295093648E582E8BEA7C21202220000000000000015C2200002C00000028010100040300000801000002030000080200000203000008030000020000000804000005280000C800050000D216747DF7034B0F76323CC6DBDD41719687B9667463B8DAD252E5B7381407EA80DD104551DFBBA094C7FC0E8771505D9DC0FDA8ACFE43056E650DA9189330AD81A9A7ADCAA7DE004D6EFEEABBB5BF496E4EEFB2A1BAAF484B4CFDA3DED282F60B4CD1040EE921C2CD3DB45292BDE5FA9429F881D3AFD504078299F88019834A11A6D9D98D607BF37C19746103AD8B4219D86DF26AB624CE706DEBA6CA5E63DDFBD63F2F9F75D3B4111D4FF841632FB6FDCB0D67DA6596D08292D4F469BD8D05290000144E8998F2AB9900D9811C2E60A75117CE2900001C00004004D17F862FB62274F299D96A88374E9079DC0142130000001C00004005C45180DA3778084B454FA63BF35201D38F4C40EC
ike 0:IPSECVPN:71: sent IKE msg (SA_INIT_RESPONSE): 192.168.10.5:500->192.168.10.50:500, len=348, id=a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ei 8:AF6280DC5B063F49
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_er 8:25804A503CD26B9B
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ai 20:43D47C3D0E103AB78D997949C0748BCCD4684C35
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ar 20:E3FAB0875756F0D84F469C1A7FB6EFCC51417302
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0:IPSECVPN:71: dec A20511EE474B295093648E582E8BEA7C2E20230800000001000000F0230000042900000C01000000C0A80A322F000008000040002100004001000000000700104643543830303231313430303137323200010000000200000003000000040000000D000070010000540A0000540B0000700000002C00004C02000024010304033F045CEF0300000801000002030000080300000C000000080500000000000024020304033F045CEF0300000801000002030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike 0:IPSECVPN:71: responder received AUTH msg
ike 0:IPSECVPN:71: processing notify type INITIAL_CONTACT
ike 0:IPSECVPN:71: peer identifier IPV4_ADDR 192.168.10.50
ike 0:IPSECVPN:71: re-validate gw ID
ike 0:IPSECVPN:71: gw validation failed
ike 0:IPSECVPN:71: schedule delete of IKE SA a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN:71: scheduled delete of IKE SA a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN: connection expiring due to phase1 down
ike 0:IPSECVPN: deleting
ike 0:IPSECVPN: deleted
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike shrank heap by 159744 bytes
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001

As it says gw validation failed, which gateway is referenced here? Any hint on what could be the issue in the configuration would be appreciated..

Waiting for kind response

1
remote-accessvpnipsecdial-upfortigate

1 Answers

0
votes

This error is related to EAP it seems, try the following in the configuration of your tunnel on the FortiGate:

config vpn ipsec phase1-interface
  edit IPSECVPN (this is the name of your tunnel)
    set eap enable
    set eap-identity send-request
    set authusrgrp 'the group your user is in'
  next
end

Otherwise, if you don't mind, switch to IKEv1 to mitigate this, that will make things in general probably slightly easier.