0

我正在尝试使用从 Fortinet 网站下载的 FortiGate 6.4 试用 VM 设置 IPSec 远程访问拨号用户 VPN。我正在尝试使其与 FortiClient 6.0.5 一起使用。我已经按照指南完成了配置,并观看了一些 youtube 视频以了解 IPSec。我已确保我在两端的第一阶段和第二阶段配置是相同的。我有两个连接到 VM 的 NIC,一个假定为本地网络,在 VPN 隧道建立后需要由客户端访问(192.168.137.0/24),另一个假定为 WAN 网络,将由客户端建立 VPN (192.168.10.0/24)。Fortinet 客户端所在的系统也是 WAN 网络 (192.168.10.0/24) 的一部分。

我无法使配置工作并卡住。在 FortiClient 上,我收到以下错误:

“VPN 连接失败。请检查您的配置、网络连接和预共享密钥,然后重试连接。如果问题仍然存在,请联系您的网络管理员寻求帮助。”

在 FortiGate CLI 上,我得到以下启用调试的日志:

FortiGate-VM64 # ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=SA_INIT id=a20511ee474b2950/0000000000000000 len=428
ike 0: in A20511EE474B295000000000000000002120220800000000000001AC2200005402000028010100040300000801000002030000080200000203000008030000020000000804000005000000280201000403000008010000020300000802000005030000080300000C0000000804000005280000C800050000C0D448858F6E8C21E68CDCCAA3EE84A229E439A0F49E666E3CD864112868B385B4D1E088332241817EAE9B21D8DED06F97C99DCD6B464B4D57EFCA4248B8D4825D2B7E7E965990297DAD47DCB81DDF8DDA862E45815FA88CE16009533B80B286FE6C84A157889D98708A10FCD7BE8814FD7DBD6270D13472F7C24BDEFD17B59A0107FDC54C0694DE3BAD200AEFC9964D7CBB586B4138E7AA41E871505CEE5E4368393266F2712D18AEF3921D44B85B54221B6DA054EFA5C9866EBFF73076CB302B000014FD962DC50AE8EF7D0B2CF8C65B325CBD2B0000144C53427B6D465D1B337BB755A37A7FEF29000014B4F01CA951E9DA8D0BAFBBD34AD3044E2900001C00004004E0F8879208723CB28770AEDB1A29B0CAE41571420000001C00004005E6BBF6BD24D8BCA3AB795F4A31A54D9EB7327932
ike 0:a20511ee474b2950/0000000000000000:71: responder received SA_INIT msg
ike 0:a20511ee474b2950/0000000000000000:71: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
ike 0:a20511ee474b2950/0000000000000000:71: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_SOURCE_IP
ike 0:a20511ee474b2950/0000000000000000:71: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:a20511ee474b2950/0000000000000000:71: incoming proposal:
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 2:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: matched proposal id 1
ike 0:a20511ee474b2950/0000000000000000:71: proposal id = 1:
ike 0:a20511ee474b2950/0000000000000000:71: protocol = IKEv2:
ike 0:a20511ee474b2950/0000000000000000:71: encapsulation = IKEv2/none
ike 0:a20511ee474b2950/0000000000000000:71: type=ENCR, val=DES_CBC
ike 0:a20511ee474b2950/0000000000000000:71: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:a20511ee474b2950/0000000000000000:71: type=PRF, val=PRF_HMAC_SHA
ike 0:a20511ee474b2950/0000000000000000:71: type=DH_GROUP, val=MODP1536.
ike 0:a20511ee474b2950/0000000000000000:71: lifetime=86400
ike 0:a20511ee474b2950/0000000000000000:71: SA proposal chosen, matched gateway IPSECVPN
ike 0:IPSECVPN: created connection: 0xc59a950 4 192.168.10.5->192.168.10.50:500.
ike 0:IPSECVPN: HA L3 state 1/0
ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:IPSECVPN:71: processing NAT-D payload
ike 0:IPSECVPN:71: NAT not detected
ike 0:IPSECVPN:71: process NAT-D
ike 0:IPSECVPN:71: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:IPSECVPN:71: processing NAT-D payload
ike 0:IPSECVPN:71: NAT not detected
ike 0:IPSECVPN:71: process NAT-D
ike 0:IPSECVPN:71: enable FortiClient endpoint compliance check, use 10.10.10.10
ike 0:IPSECVPN:71: responder preparing SA_INIT msg
ike 0:IPSECVPN:71: out A20511EE474B295093648E582E8BEA7C21202220000000000000015C2200002C00000028010100040300000801000002030000080200000203000008030000020000000804000005280000C800050000D216747DF7034B0F76323CC6DBDD41719687B9667463B8DAD252E5B7381407EA80DD104551DFBBA094C7FC0E8771505D9DC0FDA8ACFE43056E650DA9189330AD81A9A7ADCAA7DE004D6EFEEABBB5BF496E4EEFB2A1BAAF484B4CFDA3DED282F60B4CD1040EE921C2CD3DB45292BDE5FA9429F881D3AFD504078299F88019834A11A6D9D98D607BF37C19746103AD8B4219D86DF26AB624CE706DEBA6CA5E63DDFBD63F2F9F75D3B4111D4FF841632FB6FDCB0D67DA6596D08292D4F469BD8D05290000144E8998F2AB9900D9811C2E60A75117CE2900001C00004004D17F862FB62274F299D96A88374E9079DC0142130000001C00004005C45180DA3778084B454FA63BF35201D38F4C40EC
ike 0:IPSECVPN:71: sent IKE msg (SA_INIT_RESPONSE): 192.168.10.5:500->192.168.10.50:500, len=348, id=a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ei 8:AF6280DC5B063F49
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_er 8:25804A503CD26B9B
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ai 20:43D47C3D0E103AB78D997949C0748BCCD4684C35
ike 0:IPSECVPN:71: IKE SA a20511ee474b2950/93648e582e8bea7c SK_ar 20:E3FAB0875756F0D84F469C1A7FB6EFCC51417302
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0:IPSECVPN:71: dec A20511EE474B295093648E582E8BEA7C2E20230800000001000000F0230000042900000C01000000C0A80A322F000008000040002100004001000000000700104643543830303231313430303137323200010000000200000003000000040000000D000070010000540A0000540B0000700000002C00004C02000024010304033F045CEF0300000801000002030000080300000C000000080500000000000024020304033F045CEF0300000801000002030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike 0:IPSECVPN:71: responder received AUTH msg
ike 0:IPSECVPN:71: processing notify type INITIAL_CONTACT
ike 0:IPSECVPN:71: peer identifier IPV4_ADDR 192.168.10.50
ike 0:IPSECVPN:71: re-validate gw ID
ike 0:IPSECVPN:71: gw validation failed
ike 0:IPSECVPN:71: schedule delete of IKE SA a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN:71: scheduled delete of IKE SA a20511ee474b2950/93648e582e8bea7c
ike 0:IPSECVPN: connection expiring due to phase1 down
ike 0:IPSECVPN: deleting
ike 0:IPSECVPN: deleted
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike shrank heap by 159744 bytes
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001
ike 0: comes 192.168.10.50:500->192.168.10.5:500,ifindex=4....
ike 0: IKEv2 exchange=AUTH id=a20511ee474b2950/93648e582e8bea7c:00000001 len=268
ike 0: in A20511EE474B295093648E582E8BEA7C2E202308000000010000010C230000F0C48E4950443FD1B458A4698828311788893CE760359277F30A89A04EC66266BD9FB028A56E4147F24945B9EF5ECF2E30E9988F108E56DCFEF848C47B40FCC6B3BB58A5F72C2777F07C3C0A8C8BC14731B0326302EF705B46EB5394D11002781058F55DCF599B847236AEEAF7E3382B226571B797005EAC5A53F7F3533165F3ADE7B60F3C7ABA777FB3F22D5576A1CC8FF563C886EA493D61B604510F6E8CF9D90D87E1B29A3C832D6677106A43E4880C74C400BD624B2596E3D62BDFBD1E4510BFD4AD2A03E5218C7524A8F92B935D7C73DE34F6F842524070130F8CB2D31381227F5543A781CC623A5ADF7F
ike 0: invalid IKE request SPI a20511ee474b2950/93648e582e8bea7c:00000001

正如它所说的gw验证失败,这里引用了哪个网关?任何有关配置中可能存在问题的提示将不胜感激。

等待善意回应

4

1 回答 1

0

此错误似乎与 EAP 有关,请在 FortiGate 上的隧道配置中尝试以下操作:

config vpn ipsec phase1-interface
  edit IPSECVPN (this is the name of your tunnel)
    set eap enable
    set eap-identity send-request
    set authusrgrp 'the group your user is in'
  next
end

否则,如果您不介意,请切换到 IKEv1 来缓解这种情况,这通常会使事情变得容易一些。

于 2021-01-14T23:11:01.840 回答