我正在尝试配置 Fortigate 60C 以充当远程 VPN 的 IPSec 端点。
我是这样配置的:
SCR-F0-FGT100C-1 # diagnose vpn ike config
vd: root/0
name: SCR-REMOTEVPN
serial: 7
version: 1
type: dynamic
mode: aggressive
dpd: enable retry-count 3 interval 5000ms
auth: psk
dhgrp: 2
xauth: server-auto
xauth-group: VPN-group
interface: wan1
distance: 1
priority: 0
phase2s:
SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive dhcp
policies: none
配置如下:
config vpn ipsec phase1-interface
edit "SCR-REMOTEVPN"
set type dynamic
set interface "wan1"
set dhgrp 2
set xauthtype auto
set mode aggressive
set proposal aes256-sha1 aes256-md5
set authusrgrp "VPN-group"
set psksecret ENC xxx
next
config vpn ipsec phase2-interface
edit "SCR-REMOTEVPN-PH2"
set keepalive enable
set phase1name "SCR-REMOTEVPN"
set proposal aes256-sha1 aes256-md5
set dhcp-ipsec enable
next
end
但是当我尝试从远程设备连接时(我使用 Android 手机测试),手机无法连接并且 Fortinet 返回此错误:
2012-07-20 13:08:51 log_id=0101037124
type=event
subtype=ipsec
pri=error
vd="root"
msg="IPsec phase 1 error"
action="negotiate"
rem_ip=xxx
loc_ip=xxx
rem_port=1049
loc_port=500
out_intf="wan1"
cookies="xxx"
user="N/A"
group="N/A"
xauth_user="N/A"
xauth_group="N/A"
vpn_tunnel="N/A"
status=negotiate_error error_reason=no matching gateway for new request
peer_notif=INITIAL-CONTACT
我尝试在网上搜索,但没有找到任何与此相关的内容。
你知道问题可能出在哪里吗?我在 fortigate 上尝试了许多设置组合,但没有成功。
答案1
尝试这个:
DHCP 服务器配置示例
config system dhcp server
edit 3
set dns-service default
set default-gateway 192.168.100.254
set netmask 255.255.255.0
set interface "SCR-REMOTEVPN"
config ip-range
edit 1
set start-ip 192.168.100.100
set end-ip 192.168.100.199
next
end
set timezone-option default
set server-type ipsec
config reserved-address
edit 1
set ip 192.168.100.200
set mac 11:22:33:44:55:66
next
end
next
end
定义第 1 阶段并Mode Config禁用
config vpn ipsec phase1-interface
edit "SCR-REMOTEVPN"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg disable
set proposal aes256-sha1 aes256-md5
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement enable
set comments "based on fortinet kb (FD37351)"
set npu-offload enable
set dhgrp 2
set wizard-type custom
set xauthtype auto
set authusrgrp "VPN-group"
set default-gw 0.0.0.0
set default-gw-priority 0
set psksecret ENC
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set xauthexpire on-disconnect
next
end
在 VPN 第 2 阶段启用 DHCP over IPsec。
config vpn ipsec phase2-interface
edit "SCR-REMOTEVPN"
set phase1name "SCR-REMOTEVPN"
set comments "based on fortinet kb (FD37351)"
set dhcp-ipsec enable
next
end