Ensure that your FortiGate unit is in NAT/Route mode, rather than Transparent.Check that a static route has been configured properly to allow routing of VPN traffic.Ensure that you have allowed inbound and outbound traffic for all necessary network services, especially if services such as DNS or DHCP are having problems.Ensure that both ends use the same P1 and P2 proposal settings (seeThe SA proposals do not match (SA proposal mismatch).Ensure that the pre-shared keys match exactly (see The pre-shared key does not match (PSK mismatch error).If your VPN fails to connect, check the following: Select Show More and turn on Policy-based IPsec VPN. The options to configure policy-based IPsec VPN are unavailable. Bear in mind that the troubleshooting suggestions below are not exhaustive, and may not reflect your network topology.
The following is a list of such potential issues. This command will inform you of any lack of firewall policy, lack of forwarding route, and of policy ordering issues. This kind of information in the resulting output can make all the difference in determining the issue with the VPN.Īnother appropriate diagnostic command worth trying is: This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc. The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following: diagnose vpn tunnel list Otherwise, use the IP address of the first interface from the interface list (that has an IP address). If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface. Anything sourced from the FortiGate going over the VPN will use this IP address. In this scenario, you must assign an IP address to the virtual IPsec VPN interface. On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. If you can determine the connection is working properly then any problems are likely problems with your applications. When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. Otherwise, you will need to work back through the stages to see where the problem is located. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly.
This section contains tips to help you with some common challenges of IPsec VPNs.Ī VPN connection has multiple stages that can be confirmed to ensure the connection is working properly.
0 kommentar(er)
