Troubleshooting - Fortinet FortiGate FortiGate-1000 Administration Manual

Troubleshooting

Troubleshooting
292
config vpn ipsec vip
edit 1
set ip 192.168.12.2
set out-interface external
end
4 Using CLI commands to configure the remote FortiGate unit, add VIP entries to define
which IP addresses can be accessed at the local end of the VPN tunnel (see
vip" on page 278). For example, to enable access to Host_1 on the Finance network
from Host_2 on the HR network, enter the following CLI commands on FortiGate_2:
config vpn ipsec vip
edit 1
set ip 192.168.12.1
set out-interface external
end
Most connection failures are due to a configuration mismatch between the local and
remote FortiGate units.
The following are some tips to troubleshoot a VPN connection failure:
• PING the remote FortiGate firewall to verify you have a working route.
• Check the remote peer software configuration.
• Check the FortiGate firewall configuration.
Configuration Error
Wrong remote network information.
Wrong preshared key.
Wrong Aggressive Mode peer ID.
Mismatched IKE or IPSec proposal
combination in the proposal lists.
Wrong or mismatched IKE or IPSec
Diffie-Hellman group.
No Perfect Forward Secrecy (PFS) when
it is required.
Wrong direction of the encryption policy.
For example, external-to-internal instead
of internal-to-external.
Wrong firewall policy source and
destination addresses.
Wrong order of the encryption policy in
the firewall policy table.
01-28006-0009-20041105
Correction
Check the IP addresses of the remote gateway
and network.
Reenter the preshared key.
Reset to the correct Peer ID.
Make sure both the FortiGate unit and the remote
peer are using the same proposals.
Make sure you select the correct DH group on both
ends.
Enable PFS.
Change the policy to internal-to-external.
Re-enter the source and destination address.
The encryption policy must be placed above other
non-encryption policies.
VPN
"ipsec
Fortinet Inc.