The following article will guide you how to check and fix some common site-to-site IPsec VPN errors on the Internet. Fortigate Firewallthe model implementation is shown below.
* Error number 1: Preshare key miss match
Go to the Command line screen on Fortigate on the main site and type the commands below, note that you choose the tunnel name as HQ-to-Branch (VPN tunnel on main site).
Next, go to IPsec monitor and Right click on Bring up, we see that the tunnel status is still Down.
You return to the command line screen if you see an error message Probable pre-shared secret mismatch Currently, we are encountering a preshare key mismatch error between the two Fortigate devices at the main site and the branch site.
To fix it, go to VPN >> IPsec >> Tunnels and select the HQ-to-Branch tunnel, go to the Authentication section and edit the preshare key to match the branch site.
When you return to the IPsec monitor section, you will see that the status of the VPN tunnel is Up, so we have fixed this error.
* Error number 2: SA Proposal Error
Similar to above, go to the command line screen and type the commands below.
Right click and select Bring Up tunnel which is having an error.
When you return to the debug screen, you will see the error below
You can debug the same error for the branch site, remember to type the tunnel name Branch-to-HQ (VPN tunnel on branch site)
You choose Bring Up
And returning to the debug screen will see the error as below
Go to the HQ-to-Branch tunnel on the main site and select Convert to Custom Tunnel
Please see the Phase 1 Proposal section and note the information about encryption and authentication
Next, go to the branch site and edit the Phase 1 Proposal section to match the information on the main site.
Return to the IPsec Monitor section and you will see that the tunnel’s Status is Up, which means the debugging has been successful.
* Error number 3: Quick mode selector error
Please type the debug vpn commands as shown below
Go to Ipsec monitor and select Bring Up tunnel that is failing
Returning to the debug screen, you see the error message below, the device is currently experiencing a Quick mode selector error.
To handle the above error, go to the Phase 2 Selectors section on Fortigate on the main site to check and correct the Local Address and Remote Address.
Please continue to check Fortigate at the branch site and edit the information correctly.
Return to the IPsec Monitor screen, select Bring Up tunnel
When you see the tunnel’s status is Up, the error has been fixed.
Steps to check and handle some common site to site VPN errors above Fortigate Firewall finished.
Wishing you success!
Xem tiếp...