IPsec IKEv1 Phase 2 rejected by FortiGate (PFS enabled) - Quick Mode sent withou

Started by garroz, June 15, 2026, 04:52:56 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 03:19:30 AM #15 Last Edit: Today at 02:16:07 PM by lmoore
When configuring the FortiGate with IPSEC in Policy Based mode, you require seperate P2's for each subnet, which works fine when FortiGates are at each end.

FortiNet introduced IPSEC interface mode quite a long time ago. The adavantage is that you only have one P2 configuration and you control network access via FortiGate's standard interface policies.

My advice is to convert the FortiGate Policy based IPSEC configurations to Interface based configurations and set up appropriate Interface policies. The changes should be made using the CLI, either via SSH or the CLI in their Web GUI.

As you appear to be using NAT-T for IPSEC, your last resort would be to download and install FortiClient VPN Only edition (free version) on a supported platform and configure IPSEC there.

[Update] When using interface based IPSEC on the FortiGate, you will also need to include static routes to the remote networks. From memory, you can create a firewall address group for each subnet and include these individual members in another firewall address group.

Reading some docs online, FortiNet advises to also create a blackhole route to the remote subnets. This will be to prevent the network traffic leaking to the Internet in the event of the VPN tunnel being down.
Today at 03:02:17 PM #16
Quote from: garroz on June 15, 2026, 04:52:56 PMOPNsense configuration

Phase 2

Code Select
ESP: AES128-SHA256
PFS Group: 5 (also tested with 14)
Local TS: 10.202.159.192/26
Remote TS: 10.200.0.0/14

Doing some further reading, I came across this example, though it is for a dialup client configuration - https://github.com/B4b4u/Guide-FortiGate-IPsec-VPN-Configuration-for-Linux-Clients#2-linux-configuration-debian-with-strongswan

Perhaps you could try in OPNsense with only one Phase 2 configuration being;

Code Select
ESP: AES128-SHA256
PFS Group: 14
Local TS: 0.0.0.0/0
Remote TS: 0.0.0.0/0
Today at 04:15:50 PM #17
Careful with installing a policy for 0.0.0.0/0, you'll 100% lock yourself out.

Only use that without a policy in a route based tunnel.
Hardware:
DEC740
Print
Go Up Pages 1 2
User actions