298 01-28006-0010-20041105 Fortinet Inc.
Troubleshooting VPN
config vpn ipsec vip
edit 1
set ip 192.168.12.2
set out-interface external
end
4 Using CLI commands to configure the remote FortiGate unit, add VIP entries to define
which IP addresses can be accessed at the local end of the VPN tunnel (see “ipsec
vip” on page 284). For example, to enable access to Host_1 on the Finance network
from Host_2 on the HR network, enter the following CLI commands on FortiGate_2:
config vpn ipsec vip
edit 1
set ip 192.168.12.1
set out-interface external
end
Troubleshooting
Most connection failures are due to a configuration mismatch between the local and
remote FortiGate units.
The following are some tips to troubleshoot a VPN connection failure:
• PING the remote FortiGate firewall to verify you have a working route.
• Check the remote peer software configuration.
• Check the FortiGate firewall configuration.
Configuration Error Correction
Wrong remote network information. Check the IP addresses of the remote gateway
and network.
Wrong preshared key. Reenter the preshared key.
Wrong Aggressive Mode peer ID. Reset to the correct Peer ID.
Mismatched IKE or IPSec proposal
combination in the proposal lists.
Make sure both the FortiGate unit and the remote
peer are using the same proposals.
Wrong or mismatched IKE or IPSec
Diffie-Hellman group.
Make sure you select the correct DH group on both
ends.
No Perfect Forward Secrecy (PFS) when
it is required.
Enable PFS.
Wrong direction of the encryption policy.
For example, external-to-internal instead
of internal-to-external.
Change the policy to internal-to-external.
Wrong firewall policy source and
destination addresses.
Re-enter the source and destination address.
Wrong order of the encryption policy in
the firewall policy table.
The encryption policy must be placed above other
non-encryption policies.
To Next Page
Loading...
Need help?
General