服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Fortigate远程VPN:新的请求没有匹配的网关
Intereting Posts
将Mercurial用户名replace为经过Apachevalidation的用户名 在Windows Server 2008 R2 SP1上安装SSDT Saltstack:Jinja错误:如何获取包含错误的SLS文件名和行号? 发送邮件为[email protected]而不是[email protected] 与Dell服务器的H700 Raid控制器兼容的最大驱动器容量是多less? 现代Web浏览器是否总是在SNI扩展头中发送Web服务器的主机名? 通过使用mod_rewrite检查当前PHP会话来保护图像不受直接访问 反向代理和IIS sshconfiguration文件环境variables? DFS同步缓慢的互联网连接 AWS EC2,Ubuntu:上游超时(110:连接超时),从上游读取响应标头 debian 3.1可以升级到lenny吗? 同步rsnapshot备份驱动器 精益虚拟化解决scheme 跟踪定期采购

Fortigate远程VPN:新的请求没有匹配的网关

我试图将Fortigate 60Cconfiguration为远程VPN的IPSec端点。

我这样configuration它: 

SCR-F0-FGT100C-1 # diagnose vpn ike config vd: root/0 name: SCR-REMOTEVPN serial: 7 version: 1 type: dynamic mode: aggressive dpd: enable retry-count 3 interval 5000ms auth: psk dhgrp: 2 xauth: server-auto xauth-group: VPN-group interface: wan1 distance: 1 priority: 0 phase2s: SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive dhcp policies: none

这是configuration: 

 config vpn ipsec phase1-interface edit "SCR-REMOTEVPN" set type dynamic set interface "wan1" set dhgrp 2 set xauthtype auto set mode aggressive set proposal aes256-sha1 aes256-md5 set authusrgrp "VPN-group" set psksecret ENC xxx next config vpn ipsec phase2-interface edit "SCR-REMOTEVPN-PH2" set keepalive enable set phase1name "SCR-REMOTEVPN" set proposal aes256-sha1 aes256-md5 set dhcp-ipsec enable next end

但是当我尝试从远程设备(我使用Android手机进行testing)进行连接时,手机无法连接,Fortinet返回此错误: 

 2012-07-20 13:08:51 log_id=0101037124 type=event subtype=ipsec pri=error vd="root" msg="IPsec phase 1 error" action="negotiate" rem_ip=xxx loc_ip=xxx rem_port=1049 loc_port=500 out_intf="wan1" cookies="xxx" user="N/A" group="N/A" xauth_user="N/A" xauth_group="N/A" vpn_tunnel="N/A" status=negotiate_error error_reason=no matching gateway for new request peer_notif=INITIAL-CONTACT

我试图在网上search,但我没有发现任何相关的东西。

你有什么想法是什么问题? 我尝试了很多fortade设置的组合,但没有成功。

尝试这个:

DHCP服务器configuration示例 

 config system dhcp server edit 3 set dns-service default set default-gateway 192.168.100.254 set netmask 255.255.255.0 set interface "SCR-REMOTEVPN" config ip-range edit 1 set start-ip 192.168.100.100 set end-ip 192.168.100.199 next end set timezone-option default set server-type ipsec config reserved-address edit 1 set ip 192.168.100.200 set mac 11:22:33:44:55:66 next end next end

在禁用Mode Config定义阶段1 

 config vpn ipsec phase1-interface edit "SCR-REMOTEVPN" set type dynamic set interface "wan1" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 set nattraversal enable set keylife 86400 set authmethod psk set mode aggressive set peertype any set mode-cfg disable set proposal aes256-sha1 aes256-md5 set add-route enable set localid '' set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd enable set forticlient-enforcement enable set comments "based on fortinet kb (FD37351)" set npu-offload enable set dhgrp 2 set wizard-type custom set xauthtype auto set authusrgrp "VPN-group" set default-gw 0.0.0.0 set default-gw-priority 0 set psksecret ENC set keepalive 10 set distance 15 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 set xauthexpire on-disconnect next end

在VPN阶段2启用DHCP over IPsec。 

 config vpn ipsec phase2-interface edit "SCR-REMOTEVPN" set phase1name "SCR-REMOTEVPN" set comments "based on fortinet kb (FD37351)" set dhcp-ipsec enable next end