Fortigate Remote VPN : no matching gateway for new request
27,073
Try this:
Example DHCP server configuration
config system dhcp server
edit 3
set dns-service default
set default-gateway 192.168.100.254
set netmask 255.255.255.0
set interface "SCR-REMOTEVPN"
config ip-range
edit 1
set start-ip 192.168.100.100
set end-ip 192.168.100.199
next
end
set timezone-option default
set server-type ipsec
config reserved-address
edit 1
set ip 192.168.100.200
set mac 11:22:33:44:55:66
next
end
next
end
Define phase 1 with Mode Config
disabled
config vpn ipsec phase1-interface
edit "SCR-REMOTEVPN"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg disable
set proposal aes256-sha1 aes256-md5
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement enable
set comments "based on fortinet kb (FD37351)"
set npu-offload enable
set dhgrp 2
set wizard-type custom
set xauthtype auto
set authusrgrp "VPN-group"
set default-gw 0.0.0.0
set default-gw-priority 0
set psksecret ENC
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set xauthexpire on-disconnect
next
end
enable DHCP over IPsec in the VPN phase 2.
config vpn ipsec phase2-interface
edit "SCR-REMOTEVPN"
set phase1name "SCR-REMOTEVPN"
set comments "based on fortinet kb (FD37351)"
set dhcp-ipsec enable
next
end
Related videos on Youtube
Author by
Kedare
Network Operations Engineer, Site Reliability Engineer, DevOps, Geek :)
Updated on September 18, 2022Comments
-
Kedare almost 2 years
I am trying to configure a Fortigate 60C to act as an IPSec endpoint for remote VPN.
I configured it like this :
SCR-F0-FGT100C-1 # diagnose vpn ike config vd: root/0 name: SCR-REMOTEVPN serial: 7 version: 1 type: dynamic mode: aggressive dpd: enable retry-count 3 interval 5000ms auth: psk dhgrp: 2 xauth: server-auto xauth-group: VPN-group interface: wan1 distance: 1 priority: 0 phase2s: SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive dhcp policies: none
Here is the configuration:
config vpn ipsec phase1-interface edit "SCR-REMOTEVPN" set type dynamic set interface "wan1" set dhgrp 2 set xauthtype auto set mode aggressive set proposal aes256-sha1 aes256-md5 set authusrgrp "VPN-group" set psksecret ENC xxx next config vpn ipsec phase2-interface edit "SCR-REMOTEVPN-PH2" set keepalive enable set phase1name "SCR-REMOTEVPN" set proposal aes256-sha1 aes256-md5 set dhcp-ipsec enable next end
But when I try to connect from a remote device (I tested with an Android Phone), the phone fail to connect and the fortinet return this error :
2012-07-20 13:08:51 log_id=0101037124 type=event subtype=ipsec pri=error vd="root" msg="IPsec phase 1 error" action="negotiate" rem_ip=xxx loc_ip=xxx rem_port=1049 loc_port=500 out_intf="wan1" cookies="xxx" user="N/A" group="N/A" xauth_user="N/A" xauth_group="N/A" vpn_tunnel="N/A" status=negotiate_error error_reason=no matching gateway for new request peer_notif=INITIAL-CONTACT
I tried searching on the web, but i did not find anything revelant to this.
Do you have any idea of what can be the problem ? I tried many combinaisons of settings on the fortigate without success..
-
Admin almost 12 yearsHave you tried the mainID mode...
-
ralz almost 12 yearssrvfail.com/… Found your question trying to solve my problem (same error in site-to-site ipsec) this is written by me for ios but could be also the problem for you on Android. Check your peer id on both sides
-
Adam Silenko over 7 yearsdid you add a rule for the IPSEC traffic to the firewall policy
-
Adam Silenko over 7 yearsYour question should look like this: how to configure IPsec server on Fortigate 60C? But, do you have static, or dynamic IP on WAN? How do you want to authenticate clients (group names, preshared keys or digital certificates)? Do you need same IP on LAN and whenever connect by IpSec?
-