OPNsense Forum
English Forums => Virtual private networks => Topic started by: Hundeknochen on January 26, 2022, 05:15:58 pm
-
Hello!
I am currently struggling getting a work VPN connection through my OPNsense 21.7.7 firewall. This is a VPN (IPSec) connection between my work laptop and my employer's servers, so OPNsense isn't a VPN endpoint here.
The company used another VPN solution before which worked fine with OPNsense, however they recently migrated to Fortigate and its FortiClient VPN solution and that's where the issues began. When trying to connect to the VPN, it always fails with an "no response from the peer, Phase 1 retransmit reaches maximum count" error on the client.
Connecting via cell phone works fine.
As far as OPNsense is concerned, it's a standard 21.7.7 install that acts as a router/firewall for the home. The work laptop sits on its separate network (Guest) with little in the way, it even uses public DNS servers instead of OPNsense as DNS proxy like the Home (LAN) side does. Also, IDS is not active on the Guest network. All the necessary ports for IPSec (500,4500, etc) have been opened in the fw rules, and as mentioned the previous IPSec VPN solution worked fine through the very same OPNsense box.
The firewall log doesn't show anything suspicious either.
In an attempt to fix this I also added all the ports that Fortinet lists for FortiClient but that didn't help either:
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/788212/forticlient-open-ports (https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/788212/forticlient-open-ports)
I'm at a loss as to why FortiClient struggles with phase 1 handshakes when the previous VPN solution worked fine.
Any ideas?
-
Hi, did you find a solution? My problem is a little different. I can connect to the company VPN server with my FortiClient VPN but after ~10min the connection is lost. Without OpnSense it is working.
I checked the logfiles and cannot find suspicious. Any ideas to locate the problem? thanks
-
I haven't found a solution unfortunately. But I do have two other firewalls (Sophos XG 18.5MR2 and Watchguard Firebox T35 running whatever the latest version of Fireware XTM is) and I see the same behavior there - FortiClient fails at phase 1 handshakes. So this might not be an OPNsense specific issue after all. Still, I was hoping someone had an idea what's going on.
I know that Fortigate's VPN implementation can be difficult at times, but on the other side it works fine for colleagues who just use some kind of cheap nasty broadband router they got from their ISP, so surely there must be a way to get it to work in OPNsense.