[Vpn-help] DHCP-over-IPsec with FortiGate 300A 4.0 MR1

Noach Sumner nss at compu-skill.com
Sat Sep 26 23:04:12 CDT 2009 

What version of the FortiOS are you running? I have it up and running BUT we
have had lots of trouble getting it setup. It is probably either you have an
incompatible FortiOS version (their bug) or you need to change your
configuration ever so little to get everything working. Also IF you can test
using the FortiClient that may help you. Once you get it working like that
you at least know the Fortigate is configured correctly.

If you want feel free to message me and we can go over how to setit up
correctly.

On Thu, Sep 24, 2009 at 5:19 PM, Mattle Marco <marco.mattle at ecofin.ch>wrote:

> Hi all,
>
> ShrewSoft client works like a charm, unless this experimental
> dhcp-over-ipsec issue.
>
> The client tries to request a dhcp lease but fails really fast. The
> Fortigate unit barks with the following error message.
>
> ike 0:<tunnelName>:<phase2name>: sending tunnel UP notification
> (xid:c0a92361) L3 socket: received request message from <clientIP>:68 to
> <tunnelEndIP> at port1
> (xid:c0a92361) message does not have 'end' option
>
> We're running the dhcp-relay option on the fortigate. It is relaying
> requests from the newest isc dhcpd (openSUSE).
>
> Output from fortigate unit enabled with:
> diagnose debug application ike 0xfff
> diagnose debug application dhcprelay 0xffff
> diagnose debug enable
>
> Shrew IKE debug log:
> 09/09/24 17:07:18 K< : recv pfkey UPDATE ESP message
> 09/09/24 17:07:18 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:19 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:20 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:21 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:22 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:23 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:24 ii : sending DHCP over IPsec discover
> 09/09/24 17:07:25 DB : tunnel ref decrement ( ref count = 7, obj count =
> 1 )
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 DB : policy not found
> 09/09/24 17:07:25 ii : removing IPsec over DHCP policies
> <more teardown>
>
> Maybe that is sufficient for the moment. I'll later file a bug with all
> the logs.
>
> Best Regards,
>
> Marco
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20090927/a69980e4/attachment-0002.html>

More information about the vpn-help mailing list