The options to configure policy-based IPsec VPN are unavailable. If your VPN fails to connect, check the following: ensure that the pre-shared keys match exactly. Ensure that both ends use the same P1 and P2 proposal settings. Check that a static route has been configured properly to allow routing of VPN traffic.
The options to configure policy-based IPsec VPN are unavailable. If your VPN fails to connect, check the following: ensure that the pre-shared keys match exactly. Ensure that both ends use the same P1 and P2 proposal settings. Check that a static route has been configured properly to allow routing of VPN traffic.
The options to configure policy-based IPsec VPN are unavailable. If your VPN fails to connect, check the following: ensure that the pre-shared keys match exactly. Ensure that both ends use the same P1 and P2 proposal settings. Check that a static route has been configured properly to allow routing of VPN traffic.
The options to configure policy-based IPsec VPN are unavailable. If your VPN fails to connect, check the following: ensure that the pre-shared keys match exactly. Ensure that both ends use the same P1 and P2 proposal settings. Check that a static route has been configured properly to allow routing of VPN traffic.
This section contains tips to help you with some common challenges of IPsec VPNs. The options to configure policy-based IPsec VPN are unavailable. Go to System > Config > Features. Select Show More and turn on Policy-based IPsec VPN.
The VPN connection attempt fails.
If your VPN fails to connect, check the following: Ensure that the pre-shared keys match exactly. Ensure that both ends use the same P1 and P2 proposal settings. Ensure that you have allowed inbound and outbound traffic for all necessary network services, especially if services such as DNS or DHCP are having problems. Check that a static route has been configured properly to allow routing of VPN traffic. Ensure that your FortiGate unit is in NAT/Route mode, rather than Transparent. Check your NAT settings, enabling NAT traversal in the Phase 1 configuration while disabling NAT in the security policy. Ensure that both ends of the VPN tunnel are using Main mode, unless multiple dial-up tunnels are being used. If you have multiple dial-up IPsec VPNs, ensure that the Peer ID is configured properly on the FortiGate and that clients have specified the correct Local ID. If you are using FortiClient, ensure that your version is compatible with the FortiGate firmware by reading the FortiOS Release Notes. Ensure that the Quick Mode selectors are correctly configured. If part of the setup currently uses firewall addresses or address groups, try changing it to either specify the IP addresses or use an expanded address range. If XAUTH is enabled, ensure that the settings are the same for both ends, and that the FortiGate unit is set to Enable as Server. If your FortiGate unit is behind a NAT device, such as a router, configure port forwarding for UDP ports 500 and 4500.
Remove any Phase 1 or Phase 2 configurations that are not in use. If a duplicate instance of the VPN tunnel appears on the IPsec Monitor, reboot your FortiGate unit to try and clear the entry. If you are still unable to connect to the VPN tunnel, run the diagnostic command in the CLI: diag debug application ike -1 diag debug enable The resulting output may indicate where the problem is occurring. When you are finished, disable the diagnostics by using the following command: diag debug reset diag debug disable
The VPN tunnel goes down frequently.
If your VPN tunnel goes down often, check the Phase 2 settings and either increase the Keylife value or enable Autokey Keep Alive.
