fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Monitoring and troubleshooting VPN troubleshooting tips<br />
VPN troubleshooting tips<br />
More in-depth VPN troubleshooting can be found in the Troubleshooting guide.<br />
The VPN proposal is not connecting<br />
One side may attempt to initiate the VPN tunnel unsuccessful. There are a number of<br />
potential reasons for this problem.<br />
Attempting hardware offloading beyond SHA1<br />
If you are trying to off-load VPN processing to a network processing unit (NPU),<br />
remember that only SHA1 authentication is supported. For high levels of authentication<br />
such as SHA256, SHA384, and SHA512 hardware offloading is not an option — all VPN<br />
processing must be done in software.<br />
Check Phase 1 proposal settings<br />
Ensure that both sides have at least one Phase 1 proposal in common. Otherwise they<br />
will not connect. If there are many proposals in the list, this will slow down the negotiating<br />
of Phase 1. If its too slow, the connection may timeout before completing. If this happens,<br />
try removing some of the unused proposals.<br />
Ensure you are not using a loopback for the local VPN interface<br />
The Local Interface field in Phase 1 VPN configuration cannot not be configured to point<br />
to a loopback interface, or the IPSec tunnel will not be established.<br />
Check your routing<br />
If routing is not properly configured with an entry for the remote end of the VPN tunnel,<br />
traffic will not flow properly. You may need static routes on both ends of the tunnel. If<br />
routing is the problem, the proposal will likely setup properly but no traffic will flow.<br />
Try enabling XAuth<br />
If one end of an attempted VPN tunnel is using XAuth and the other end is not, the<br />
connection attempt will fail. The log messages for the attempted connection will not<br />
mention XAuth is the reason, but when connections are failing it is a good idea to ensure<br />
both ends have the same XAuth settings. If you do not know the other end’s settings<br />
enable or disable XAuth on your end to see if that is the problem.<br />
General troubleshooting tips<br />
Most connection failures are due to a configuration mismatch between the FortiGate unit<br />
and the remote peer. In general, begin troubleshooting an IPsec VPN connection failure<br />
as follows:<br />
1 Ping the remote network or client to verify whether the connection is up. See “Testing<br />
VPN connections” on page 236.<br />
2 Traceroute the remote network or client. If DNS is working, you can use domain<br />
names. Otherwise use IP addresses.<br />
3 Check the routing behind the dialup client. Routing problems may be affecting DHCP.<br />
If this appears to be the case, configure a DHCP relay service to enable DHCP<br />
requests to be relayed to a DHCP server on or behind the FortiGate server.<br />
4 Verify the configuration of the FortiGate unit and the remote peer. Check the following<br />
IPsec parameters:<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 241<br />
http://docs.fortinet.com/