FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 16 - IPsec VPN > Troubleshooting > General troubleshooting tips

General troubleshooting tips

Most connection failures are due to a configuration mismatch between the FortiGate unit and the remote peer. In general, begin troubleshooting an IPsec VPN connection failure as follows:

  1. Ping the remote network or client to verify whether the connection is up. See General troubleshooting tips.
  2. Traceroute the remote network or client. If DNS is working, you can use domain names. Otherwise use IP addresses.
  3. Check the routing behind the dialup client. Routing problems may be affecting DHCP. If this appears to be the case, configure a DHCP relay service to enable DHCP requests to be relayed to a DHCP server on or behind the FortiGate server.
  4. Verify the configuration of the FortiGate unit and the remote peer. Check the following IPsec parameters:
  • The mode setting for ID protection (main or aggressive) on both VPN peers must be identical.
  • The authentication method (preshared keys or certificates) used by the client must be supported on the FortiGate unit and configured properly.
  • If preshared keys are being used for authentication purposes, both VPN peers must have identical preshared keys.
  • The remote client must have at least one set of Phase 1 encryption, authentication, and Diffie-Hellman settings that match corresponding settings on the FortiGate unit.
  • Both VPN peers must have the same NAT traversal setting (enabled or disabled).
  • The remote client must have at least one set of Phase 2 encryption and authentication algorithm settings that match the corresponding settings on the FortiGate unit.
  • If you are using manual keys to establish a tunnel, the Remote SPI setting on the FortiGate unit must be identical to the Local SPI setting on the remote peer, and vise versa.
  1. To correct the problem, see the following table.
VPN troubleshooting tips
Configuration problem Correction
Mode settings do not match. Select complementary mode settings. See Phase 1 parameters.
Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server. Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name (see Phase 1 parameters).

If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note.
Preshared keys do not match. Reenter the preshared key. See Phase 1 parameters.
Phase 1 or Phase 2 key exchange proposals are mismatched. Make sure that both VPN peers have at least one set of proposals in common for each phase. See Phase 1 parameters and Phase 2 parameters.
NAT traversal settings are mismatched. Select or clear both options as required. See Phase 1 parameters and Phase 1 parameters.

A word about NAT devices

When a device with NAT capabilities is located between two VPN peers or a VPN peer and a dialup client, that device must be NAT traversal (NAT-T) compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters.