FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>VPN</strong> troubleshooting tips<br />
Monitoring and testing <strong>VPN</strong>s<br />
3 Refer to Table 2 on page 160 to correct the problem.<br />
Table 2: <strong>VPN</strong> trouble-shooting tips<br />
Configuration problem<br />
Mode settings do not match.<br />
Peer ID or certificate name of the<br />
remote peer or dialup client is not<br />
recognized by <strong>FortiGate</strong> <strong>VPN</strong><br />
server.<br />
Preshared keys do not match.<br />
Phase 1 or phase 2 key<br />
exchange proposals are<br />
mismatched.<br />
NAT traversal settings are<br />
mismatched.<br />
SPI settings for manual key<br />
tunnels are mismatched.<br />
Correction<br />
Select <strong>com</strong>plementary mode settings. See “Choosing<br />
main mode or aggressive mode” on page 128.<br />
Go to <strong>VPN</strong> > Phase 1.<br />
Depending on the Remote Gateway and<br />
Authentication Method settings, you have a choice of<br />
options to authenticate <strong>FortiGate</strong> dialup clients or<br />
<strong>VPN</strong> peers by ID or certificate name (see<br />
“Authenticating remote peers and clients” on<br />
page 131).<br />
If you are configuring authentication parameters for<br />
FortiClient dialup clients, refer to the Authenticating<br />
FortiClient Dialup Clients Technical Note.<br />
Reenter the preshared key. See “Authenticating<br />
remote peers and clients” on page 131.<br />
Make sure that both <strong>VPN</strong> peers have at least one set<br />
of proposals in <strong>com</strong>mon for each phase. See<br />
“Defining IKE negotiation parameters” on page 137<br />
and “Configure the phase 2 parameters” on page 146.<br />
Select or clear both options as required. See “NAT<br />
traversal” on page 140 and “NAT keepalive frequency”<br />
on page 140.<br />
Enter <strong>com</strong>plementary SPI settings. See “Manual-key<br />
configurations” on page 111.<br />
A word about NAT devices<br />
When a device with NAT capabilities is located between two <strong>VPN</strong> peers or a <strong>VPN</strong><br />
peer and a dialup client, the device must be NAT-T <strong>com</strong>patible for encrypted traffic<br />
to pass through the NAT device. For more information, see “NAT traversal” on<br />
page 140.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
160 01-30005-0065-20070716