1 Introduction 1.1 Goal of this document This configuration guide describes how to configure TheGreenBow IPsec VPN Client software with a FortiGate VPN router to establish VPN connections for remote access to corporate network.
1.2 VPN Network topology
In our VPN network example (diagram hereafter), we will connect TheGreenBow IPsec VPN Client software to the LAN behind the FortiGate router. The VPN client is connected to the Internet with a DSL connection or through a LAN. All the addresses in this document are given for example purpose.
IPsec VPN Client
as seen on LAN
mygateway.dyndns.org
192.168.210.1
192.168.210.78 Internet IPsec VPN Client FortiGate (Remote) 192.168.10.21 192.168.210.3
1.3 FortiGate Restrictions
No known restrictions
1.4 FortiGate VPN Gateway
Our tests and VPN configuration have been conducted with FortiGate version 6.0.
1.5 FortiGate VPN Gateway product info
It is critical that users find all necessary information about FortiGate VPN Gateway. All product info, User Guide and knowledge base for the FortiGate VPN Gateway can be found on the FortiGate website: https://www.fortinet.com/
FortiGate Product page https://www.fortinet.com/
FortiGate User Guide https://docs.fortinet.com/fortigate/admin-guides FortiGate Knowledge Base http://kb.fortinet.com/kb/microsites/microsite.do
This section describes how to build an IPsec VPN configuration with your FortiGate VPN router. Once connected to your FortiGate VPN gateway, go to menu VPN > IPsec Tunnels. Add a tunnel.
Provide a tunnel name and select "Custom" in Template Type.
This section describes the required configuration to connect to a FortiGate VPN router via VPN connections. To download the latest release of TheGreenBow IPsec VPN Client software, please go to www.thegreenbow.com/vpn_down.html.
3.1 VPN Client - IKE Auth Configuration
The remote VPN
Gateway IP address is either an explicit IP address or a DNS Name
IKE Auth configuration
This configuration is one example of what can be accomplished in term of User Authentication. You may want to refer to either the FortiGate router user guide or TheGreenBow IPsec VPN Client software User Guide for more details on User Authentication options.
Once both FortiGate router and TheGreenBow IPsec VPN Client software have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPsec traffic. 1/ Select menu "Configuration" and "Save" to take into account all modifications we've made on your VPN Client configuration. 2/ Double Click on your Child SA tunnel name or Click "Open" button in Connection panel to open tunnel. 3/ Select menu "Tools" and "Console" if you want to access to the IPsec VPN logs. The following example shows a successful connection between TheGreenBow IPsec VPN Client and a FortiGate VPN router.
Configuring an IPsec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection from being established. Some tools are available to find source of troubles during a VPN establishment.
4.1 A good network analyser: Wireshark
Wireshark is a free software that can be used for packet and traffic analysis. It shows IP or TCP packets received on a network card. This tool is available on website www.wireshark.org. It can be used to follow protocol exchange between two devices. For installation and use details, read its specific documentation (www.wireshark.org/docs/).
If you have an “NO_PROPOSAL_CHOSEN” error you might have a wrong Phase 1 [IKE Auth], check if the encryption algorithms are the same on each side of the VPN tunnel.
If you have an “AUTHENTICATION_FAILED” error, it means that the certificate or the preshared key is not matching. Check the Gateway if the user certificate or preshared key is valid.
5.3 “No user certificate available for the connexion” error
20XX0913 16:18:07:491 TIKEV2_Tunnel RECV IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][CERTREQ][ N(FRAGMENTATION_SUPPORTED)][N(MULTIPLE_AUTH_SUPPORTED)] 20XX0913 16:18:07:491 TIKEV2_Tunnel IKE SA I-SPI 8D4467C52C91C316 R-SPI 9DF0F0E4A91F8867 20XX0913 16:18:07:491 TIKEV2_Tunnel No user certificate available for the connexion 20XX0913 16:18:07:491 TIKEV2_Tunnel Connection aborted.
Check if the certificate is selected or the Token (smartcard) is available on the computer.
5.4 “Remote IDr rejected” error
20180913 16:24:32:087 TIKEV2_Tunnel ID types do not match. Expecting ID_RFC822_ADDR. Receiving ID_DER_ASN1_DN 20180913 16:24:32:087 TIKEV2_Tunnel Remote IDr rejected
The “Remote ID” value (see “Protocol” tab) does not match what the remote endpoint is expected.
If you have an “NO_PROPOSAL_CHOSEN” error, check that the “Child SA” encryption algorithms are the same on each side of the VPN Tunnel.
5.6 “FAILED_CP_REQUIRED” error
20XX0913 16:29:46:780 TIKEV2_Tunnel RECV IKE_AUTH [HDR][IDr][CERT][AUTH][N(AUTH_LIFETIME)][N(FAILED_CP_REQUIRED)][N(TS_UNACCEPTABLE)] 20180913 16:29:46:780 TIKEV2_Tunnel Remote endpoint sends error FAILED_CP_REQUIRED 20XX0913 16:29:46:780 TIKEV2_Tunnel Remote endpoint is expecting a configuration request from the client
If you have an “FAILED_CP_REQUIRED” error, then the Gateway is configured to use Mode CP. Go to Traffic selectors and enable "Request configuration from the gateway".
5.7 I clicked on “Open tunnel”, but nothing happens.
Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPsec Client uses UDP port 500. Check if the remote server is online.
5.8 The VPN tunnel is up but I can’t ping !
If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines: Check Child SA settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address should not belong to the remote LAN subnet Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall. Check that every device between the client and the VPN server does accept ESP Check your VPN server logs. Packets can be dropped by one of its firewall rules. Check your ISP support ESP and if the protocol 50 is allowed to pass traffic in your firewalls. If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface (with Wireshark for example). You will have an indication that encryption works. Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is a no “Default gateway” setting. You cannot access to the computers in the LAN by their name. You must specify their IP address inside the LAN. We recommend you to install Wireshark (www.wireshark.org) on one of your target computer. You can check that your pings arrive inside the LAN.
