I am setting up an IPsec VPN tunnel on a 200F 7.2.5. I configured the tunnel using the IPsec wizard but I cannot connect using the FortiClient VPN software. When I look at the VPN Event logs on the 200F I see these two log events.
2023/06/17 14:38:23 negotiate success progress IPsec phase 1
2023/06/17 14:38:53 delete_phase1_sa delete IPsec phase 1 SA
I have found some posts stating this log event occurs when there is a phase2 failure.
I have exported the logs from the FortiClient and I am getting this error message:
IKE phase1 authentication fail as peer’s certificate is not verified
I have configured the Authentication Method on this connection to Pre-Shared Key so I am confused why I would be getting a certification error.
This is the first VPN I have tried to configure on a FortiGate so any help would be greatly appreciated.
I’d do SSL VPN for user remote access, not IPsec. IPsec isn’t really used too much anymore for user access, for a variety of reasons, including ease of configuration.
Are you sure the Forticlient is configured for IPSEC and not SSL-VPN? Export your FortiClient config and sanitize it (we really just need the VPN portions) then export the ipsec config for the gate and sanitize it. Post it here.
Did you create firewall policies allowing traffic?
I just set up an SSL VPN and it worked the first time. I need to read up on SSL VPN to make sure I get the set up right. But on the first attempt this is much easier that IPsec.
Yes I have double checked the FortiClient connection and it is set to IPsec.
Here is the FortiClient configuration:
<name>Test VPN</name>
<single\_user\_mode>0</single\_user\_mode>
<machine>0</machine>
<type>manual</type>
<ui>
<show\_passcode>0</show\_passcode>
<show\_remember\_password>0</show\_remember\_password>
<show\_alwaysup>0</show\_alwaysup>
<show\_autoconnect>0</show\_autoconnect>
<save\_username>0</save\_username>
</ui>
<ike\_settings>
<version>1</version>
<implied\_SPDO>0</implied\_SPDO>
<implied\_SPDO\_timeout>0</implied\_SPDO\_timeout>
<xauth\_timeout>0</xauth\_timeout>
<prompt\_certificate>0</prompt\_certificate>
<description />
<server>vpn.server.com</server>
<authentication\_method>Preshared Key</authentication\_method>
<auth\_data>
<preshared\_key>EncX \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*</preshared\_key>
</auth\_data>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key\_life>86400</key\_life>
<localid />
<peerid />
<nat\_traversal>1</nat\_traversal>
<mode\_config>1</mode\_config>
<enable\_local\_lan>0</enable\_local\_lan>
<failover\_sslvpn\_connection />
<block\_outside\_dns>0</block\_outside\_dns>
<nat\_alive\_freq>5</nat\_alive\_freq>
<dpd>1</dpd>
<dpd\_retry\_count>3</dpd\_retry\_count>
<dpd\_retry\_interval>5</dpd\_retry\_interval>
<enable\_ike\_fragmentation>0</enable\_ike\_fragmentation>
<xauth>
<enabled>1</enabled>
<prompt\_username>1</prompt\_username>
<username>EncX \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*</username>
<password />
</xauth>
<proposals>
<proposal>AES128|SHA256</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike\_settings>
<ipsec\_settings>
<remote\_networks>
<network>
0.0.0.0
0.0.0.0
</network>
<network>
::/0
::/0
</network>
</remote\_networks>
<ipv4\_split\_exclude\_networks />
<dhgroup>5</dhgroup>
<key\_life\_type>seconds</key\_life\_type>
<key\_life\_seconds>43200</key\_life\_seconds>
<key\_life\_Kbytes>5120</key\_life\_Kbytes>
<replay\_detection>1</replay\_detection>
<pfs>1</pfs>
<use\_vip>1</use\_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>[0.0.0.0](https://0.0.0.0)</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA1</proposal>
</proposals>
</ipsec\_settings>
<on\_connect>
<script>
<os>windows</os>
<script>
<![CDATA]>
</script>
</script>
</on\_connect>
<on\_disconnect>
<script>
<os>windows</os>
<script>
<![CDATA]>
</script>
</script>
</on\_disconnect>
Here is the VPN configuration, phase1 and phase2:
edit “VPN”
set type dynamic
set interface "port2"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "VPN"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set ipv4-netmask 255.255.255.0
set dns-mode auto
set save-password enable
set psksecret ENC \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
edit “VPN”
set phase1name "VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: VPN (Created by VPN wizard)"
The firewall rule was created through the Wizard. I checked the rule and it appears to be right.