Well, had a tech from FortiGate log in remotely to have a peek, and he managed to get the connection working.
Even tried to configure a Cisco-client installed on a PC to run against the iOS-tunnel: Same result, can't connect.įortigate-ticket was opened on friday before posting this, but haven't heard anything back from them yet. An iPhone and an iPad running the latest version of iOS, and one running the previous one. Both the boxes that don't work already has IPSec VPN's on them, but neither of those two boxes would let iOS-devices connect when I removed all entries for IPSec and recreated the iOS-tunnel. I've also been wondering if it's trying to connect to the site-to-site tunnel. At this point I'm willing to flip every stone there Yep, went through both of those guides, and nope, clients cannot connect on TWO of the boxes we've done tests on.
Thanks for the replies Won't help much, unless I reconfigure the tunnel to listen to the Internal-interface. Note: I am fairly new to using fortigate's, so I am sure someone else might have better questions with cli commands to run.Īlso have you opened a support ticket with Fortnet? 3 weeks? Are you using pre-shared key or certificates or?.Have you tried a different platform as the client to connect using a Cisco IPsec vpn client?.Have you tried with an iPhone with latest updates - what was the client OS version details.They didn't help - that is you did exactly the setup indicated (well you probably already have an address group for your lan but.) and the clients can't connect? If you have been looking at stuff for weeks then it is safe to assume that you had reviewed these two and: When you open up with the info about the Site2Site IPSec it makes me wonder if you are you trying to use the Site2Site IPsec vpn as a Point2Site for the iPad?Īssuming that bit of information was just provided to indicate that IPsec is working "somewhere", then here are some thoughts:
Thus I will follow the 7th of the 10 Tech-commandmends: talk with experienced colleagues, as it's incredible which issues they've seen over the years! :) I'd rather not have to obliterate the current config on the 60D, but I will if I have to in order to get this fixed. I've also had our Fortigate-man in to look at this, but he has no real explanation of why this happens. I am, as mentioned, at the end of my rope. Same result, peer SA proposal not match local policy in the log. I've even set up Fortinets' own FortiClient to run IPSec against the tunnel using the exact same settings as the tunnel has in the attached config. Same result, regardless of what I do or how I config it: Fails to establish VPN between phone and firewall.
To make matters even more interesting, I've also tested this out on the FortiWifi 40C I have at home running on FortiOS 5.2.3. I've attached a dump of the Phase 1 and Phase 2-settings used in both cases, as well as the error I get in the logs on the 60D. I've also checked, rechecked and then rechecked again the Phase 1-settings on both the nonworking and working firewalls, and they are exactly the same. In both cases I use the built-in Cisco IPSec-client that iOS has. But, and here's the kicker, that very same config works like a charm on a different Fortigate-unit (a Fortigate 40C, also running 5.2.2).
Regardless of what I do in terms of config (using either the wizard, the CLI or a manual setup through the WebUI), I get an IPSec phase 1-error in the log on the Fortigate stating peer SA proposal not match local policy site when I try to connect to it. But the customer needs to access their internal LAN from iPads, which is where the problems start. We've set up a Site-to-Site IPSec VPN between their two offices, and that works without a hitch. Here's the deal: I've got a customer where we just set up a new Fortigate 60D running FortiOS 5.2.2. Well, after banging my head around this for damn near three weeks, reading tons of documentations and doing endless debugs, I'm calling it quits and turn to those that are hopefully way more smarter than me! (aka you guys in the SpiceWorks-community!)