Ensure that the Quick Mode selectors are correctly configured. Use the diagnose VPN tunnel list command to troubleshoot this. If Perfect Forward Secrecy (PFS) is used, ensure that it is used on both peers. If FortiClient is used, ensure that the version is compatible with the FortiGate firmware by reading the FortiOS Release Notes. Furthermore, in circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set. If multiple dial-up IPsec VPNs are configured, ensure that the peer ID is configured properly on the FortiGate and that clients have specified the correct local ID. Ensure that both ends of the VPN tunnel are using Main mode, unless multiple dial-up tunnels are being used. Pin the PAT/NAT session table, or use some of kind of NAT-T keepalive to avoid the expiration of the PAT/NAT translation. Check the NAT settings, enabling NAT traversal in the Phase 1 configuration while disabling NAT in the security policy. Ensure that the FortiGate unit is in NAT/Route mode, rather than Transparent. Check that a static route has been configured properly to allow routing of VPN traffic.
Ensure that inbound and outbound traffic are allowed for all necessary network services, especially if services such as DNS or DHCP are having problems. The SA proposals do not match (SA proposal mismatch).
Ike 0:TRX:322: PSK auth failed: probable pre-shared key mismatch ike Negotiate SA Error: Ensure that both ends use the same P1 and P2 proposal settings (The SA proposals do not match (SA proposal mismatch). Ensure that the pre-shared keys match exactly (see The pre-shared key does not match (PSK mismatch error). If the VPN fails to connect, check the following: This article describes how to debug IPSec VPN connectivity issues.
0 kommentar(er)
