Most connection failures are due to a configuration mismatch between the FortiGate unit and the remote peer. In general, begin troubleshooting an IPsec VPN connection failure as follows:
- Ping the remote network or client to verify whether the connection is up. See General troubleshooting tips.
- Traceroute the remote network or client. If DNS is working, you can use domain names. Otherwise use IP addresses.
- Check the routing behind the dialup client. Routing problems may be affecting DHCP. If this appears to be the case, configure a DHCP relay service to enable DHCP requests to be relayed to a DHCP server on or behind the FortiGate server.
- Verify the configuration of the FortiGate unit and the remote peer. Check the following IPsec parameters:
- The mode setting for ID protection (main or aggressive) on both VPN peers must be identical.
- The authentication method (preshared keys or certificates) used by the client must be supported on the FortiGate unit and configured properly.
- If preshared keys are being used for authentication purposes, both VPN peers must have identical preshared keys.
- The remote client must have at least one set of Phase 1 encryption, authentication, and Diffie-Hellman settings that match corresponding settings on the FortiGate unit.
- Both VPN peers must have the same NAT traversal setting (enabled or disabled).
- The remote client must have at least one set of Phase 2 encryption and authentication algorithm settings that match the corresponding settings on the FortiGate unit.
- If you are using manual keys to establish a tunnel, the Remote SPI setting on the FortiGate unit must be identical to the Local SPI setting on the remote peer, and vise versa.
- To correct the problem, see the following table.
VPN trouble-shooting tips
|Mode settings do not match.||Select complementary mode settings. See Phase 1 parameters.|
|Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server.||Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name (see Phase 1 parameters).
If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note.
|Preshared keys do not match.||Reenter the preshared key. See Phase 1 parameters.|
|Phase 1 or Phase 2 key exchange proposals are mismatched.||Make sure that both VPN peers have at least one set of proposals in common for each phase. See Phase 1 parameters and Phase 2 parameters.|
|NAT traversal settings are mismatched.||Select or clear both options as required. See Phase 1 parameters and Phase 1 parameters.|
A word about NAT devices
When a device with NAT capabilities is located between two VPN peers or a VPN peer and a dialup client, that device must be NAT traversal (NAT-T) compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters.