Fortigate Remote VPN : no matching gateway for new request

vpn firewall ipsec fortinet
27,073

Try this:

Example DHCP server configuration

config system dhcp server
  edit 3
    set dns-service default
    set default-gateway 192.168.100.254
    set netmask 255.255.255.0
    set interface "SCR-REMOTEVPN"
      config ip-range
        edit 1
          set start-ip 192.168.100.100
          set end-ip 192.168.100.199
        next
      end
    set timezone-option default
    set server-type ipsec
      config reserved-address
        edit 1
          set ip 192.168.100.200
          set mac 11:22:33:44:55:66
        next
      end
  next
end

Define phase 1 with Mode Config disabled

config vpn ipsec phase1-interface
  edit "SCR-REMOTEVPN"
    set type dynamic
    set interface "wan1"
    set ip-version 4
    set ike-version 1
    set local-gw 0.0.0.0
    set nattraversal enable
    set keylife 86400
    set authmethod psk
    set mode aggressive
    set peertype any
    set mode-cfg disable
    set proposal aes256-sha1 aes256-md5
    set add-route enable
    set localid ''
    set localid-type auto
    set negotiate-timeout 30
    set fragmentation enable
    set dpd enable
    set forticlient-enforcement enable
    set comments "based on fortinet kb (FD37351)"
    set npu-offload enable
    set dhgrp 2
    set wizard-type custom
    set xauthtype auto
    set authusrgrp "VPN-group"
    set default-gw 0.0.0.0
    set default-gw-priority 0
    set psksecret ENC
    set keepalive 10
    set distance 15
    set priority 0
    set dpd-retrycount 3
    set dpd-retryinterval 5
    set xauthexpire on-disconnect
  next
end

enable DHCP over IPsec in the VPN phase 2.

config vpn ipsec phase2-interface
  edit "SCR-REMOTEVPN"
    set phase1name "SCR-REMOTEVPN"
    set comments "based on fortinet kb (FD37351)"
    set dhcp-ipsec enable
  next
end
Share:
27,073

Related videos on Youtube

Kedare
Author by

Kedare

Network Operations Engineer, Site Reliability Engineer, DevOps, Geek :)

Updated on September 18, 2022

Comments

  • Kedare
    Kedare almost 2 years

    I am trying to configure a Fortigate 60C to act as an IPSec endpoint for remote VPN.

    I configured it like this :

    SCR-F0-FGT100C-1 # diagnose vpn ike config

vd: root/0
name: SCR-REMOTEVPN
serial: 7
version: 1
type: dynamic
mode: aggressive
dpd: enable  retry-count 3  interval 5000ms
auth: psk
dhgrp:  2
xauth: server-auto
xauth-group: VPN-group
interface: wan1
distance: 1
priority: 0
phase2s:
  SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0  dhgrp 5  replay  keep-alive  dhcp
policies: none

    Here is the configuration: 

    config vpn ipsec phase1-interface
    edit "SCR-REMOTEVPN"
        set type dynamic
        set interface "wan1"
        set dhgrp 2
        set xauthtype auto
        set mode aggressive
        set proposal aes256-sha1 aes256-md5
        set authusrgrp "VPN-group"
        set psksecret ENC xxx
    next


config vpn ipsec phase2-interface
    edit "SCR-REMOTEVPN-PH2"
        set keepalive enable
        set phase1name "SCR-REMOTEVPN"
        set proposal aes256-sha1 aes256-md5
        set dhcp-ipsec enable
    next
end

    But when I try to connect from a remote device (I tested with an Android Phone), the phone fail to connect and the fortinet return this error :

    2012-07-20 13:08:51 log_id=0101037124 
type=event 
subtype=ipsec 
pri=error 
vd="root" 
msg="IPsec phase 1 error" 
action="negotiate" 
rem_ip=xxx
loc_ip=xxx 
rem_port=1049 
loc_port=500 
out_intf="wan1" 
cookies="xxx" 
user="N/A" 
group="N/A" 
xauth_user="N/A" 
xauth_group="N/A" 
vpn_tunnel="N/A" 
status=negotiate_error error_reason=no matching gateway for new request 
peer_notif=INITIAL-CONTACT

    I tried searching on the web, but i did not find anything revelant to this.

    Do you have any idea of what can be the problem ? I tried many combinaisons of settings on the fortigate without success..

    • Admin
      Admin almost 12 years
      Have you tried the mainID mode...
    • ralz
      ralz almost 12 years
      srvfail.com/… Found your question trying to solve my problem (same error in site-to-site ipsec) this is written by me for ios but could be also the problem for you on Android. Check your peer id on both sides
    • Adam Silenko
      Adam Silenko over 7 years
      did you add a rule for the IPSEC traffic to the firewall policy
    • Adam Silenko
      Adam Silenko over 7 years
      Your question should look like this: how to configure IPsec server on Fortigate 60C? But, do you have static, or dynamic IP on WAN? How do you want to authenticate clients (group names, preshared keys or digital certificates)? Do you need same IP on LAN and whenever connect by IpSec?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I allow IPSec over TCP through a Cisco ASA?
What is the difference between concurrent sessions and IPsec/VPN sessions?
Fortigate VPN Routing issue
IPSec tunnel between FortiGate and iPhone / iOS - Works except for DNS / Wins
What can an ISP do to block IPSEC traffic?
FortiGate IPsec VPN: Configuring Multiple Phase 2 Connections (Multiple Subnets)
Connect to a Fortinet VPN with Ubuntu
Fortigate IPSEC VPN Issue
How do you implement NAT-T passthrough on a Juniper SRX series Firewall?
Can you run a VPN connection over HTTP?