[Vpn-help] Fortigate Commercial IPSec Gateway
Matthew Grooms
mgrooms at shrew.net
Mon Dec 10 01:48:34 CST 2007
Noach Sumner wrote:
> I am using a Fortigate 200A and very much wanted to get the VPN Client
> working with my Fortigate unit. I therefore tried setting up the client
> and had no luck. However Matthew was happy to help me and I now have a
> working config. I then went and tried playing with as many settings as I
> could to see what works and what doesn't.
>
> It seems to me the vast majority of options work (as long as you can set
> it on BOTH the Fortigate and the Client). Every encryption and
> authentication option I saw on both worked for example. It seems setting
> anything to Auto is the wrong way to go as this doesn't seem to work for
> any settings. Therefore the best advice I can give is where ever
> possible set the setting and don't select auto.
>
> I found 2 options that DO NOT WORK!
>
> I have NAT Transversal set on the Fortigate but if I enable it on the
> client I can not get it to connect at all.
> In addition using MAIN ID (phase1) does not appear to work at all.
>
> I will of course be glad to be corrected but this is how it appears to me.
>
Excellent follow up! Thanks :) Just a few comments to add. There isn't
much to be done about the main mode ID issue as this combination clearly
violates the IKE RFC. Also, I found a NAT-T related bug in the alpha 2
release that has been corrected in head. I will roll another release
later this week that will hopefully solve this problem for you. Testing
the NAT-T feature with my Fortigate 50a works well so the odds are good.
Thanks again,
-Matthew
More information about the vpn-help
mailing list