Fortclient not connecting over PfSense

phoenixfsense · Aug 8, 2023, 7:00 PM

Hi All
I am new to pfsense and i am experiencing i major isssue.
I have a forti client on one of my work laptop and when i an trying to connect to the VPN it cant connect.

I tested this by bypassing the firewall and my VPN works fines without any issues.

My setup is completly new, so no rules have put in place accept the defaut rules

I can connect to everysite i want only my FortiClient isnt connecting.

any help

viragomann · Aug 9, 2023, 10:25 AM

@phoenixfsense said in Fortclient not connecting over PfSense:

I tested this by bypassing the firewall and my VPN works fines without any issues.

Behind another router or directly connected to the internet?

Which type of VPN is it?

Do you have installed packages like pfBlockerNG or squid?

Are there any blocks in the firewall log shown up?

michmoor · Aug 9, 2023, 10:40 AM

Do you get the same IP on vpn as you do when not on vpn?

phoenixfsense · Aug 9, 2023, 10:52 AM

@viragomann I do see some Blocks on the Firewall logs but I dont have pfBlockerNG or squid packages installed.

Which type of VPN is it? I am using a Forticlient applicatiion

Are there any blocks in the firewall log shown up? I was seeing a lot of blocked ipv6 so allowed ipv6 through but still the same issue.

one of the weird things is that a packet capture doesnt show me anything as well.

phoenixfsense · Aug 9, 2023, 11:41 AM

@michmoor No My lan is sitiing on a 192.168 and the VPN uses 10.X.X.X range

viragomann · Aug 9, 2023, 12:15 PM

@phoenixfsense said in Fortclient not connecting over PfSense:

Which type of VPN is it? I am using a Forticlient applicatiion

🔒 Log in to view

Did this VPN work behind another router?

phoenixfsense · Aug 9, 2023, 12:36 PM

@viragomann using both SSL and IP-Sec

michmoor · Aug 9, 2023, 1:54 PM

What do the firewall logs show for the client when its connected to the fortclient VPN.
Do you see any blocks? All flows are getting passed?
For my Global Connect client (Palo Alto) on my work laptop the only rules it has is to the internet - permit any/any. Works without issue when sitting behind my pfsense.

phoenixfsense · Aug 9, 2023, 2:55 PM

@michmoor
All the webiste and protocol's works fine.
I can access the internet without a problem, even now as we speak i am going through the FW.

Its just the forticlient that doesnt connect.

michmoor · Aug 9, 2023, 3:57 PM

@phoenixfsense what error are you getting in the forticlient logs?

phoenixfsense · Aug 9, 2023, 4:26 PM

@michmoor

When its not Connect..
08/9/2023 6:05:16 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.88.10 loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=Llo action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success Initiator: sent x.x.x.x aggressive mode message #1 (OK)" vpntunnel=Llo vpntype=ipsec
8/9/2023 6:05:28 PM Warning VPN id=96561 msg="locip=192.168.88.10 locport=500 remip=x.x.X remport=500 outif=0 vpntunnel=Lit status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..." vpntunnel=Llo vpntype=ipsec

when its connecting
8/9/2023 6:15:14 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=local mode=aggressive stage=2 dir=outbound status=success Initiator: sent x.x.x.x aggressive mode message #2 (DONE)" vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:14 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=remote mode=xauth_client stage=0 dir=inbound status=success Responder: parsed x.x.x.x xauth_client mode message #0 " vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:14 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=remote mode=xauth_client stage=2 dir=inbound status=success Responder: parsed x.x.x.x xauth_client mode message #2 " vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:14 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=local mode=xauth_client stage=0 dir=inbound status=success Initiator: parsed x.x.x.x xauth_client mode message #0 (" vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:14 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=remote mode=xauth_client stage=0 dir=inbound status=success Responder: parsed x.x.x.x xauth_client mode message #0 " vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:15 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=local mode=quick stage=1 dir=outbound status=success Initiator: sent x.x.x.x quick mode message #1 (OK)" vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:15 PM Notice VPN id=96571 msg="locip=192.168.0.102 locport=4500 remip=x.x.x.x remport=4500 outif=0 vpntunnel=Lol action=install_sa, inspi=0x9e4976ec outspi=0x5e53ced5 Initiator: tunnel 192.168.0.102/x.x.x.x install ipsec sa" vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:15 PM Notice VPN id=96566 msg="negotiation information, loc_ip=192.168.0.102 loc_port=4500 rem_ip=x.x.x.x rem_port=4500 out_if=0 vpn_tunnel=Lol action=negotiate init=local mode=quick stage=2 dir=outbound status=success Initiator: sent x.x.x.x quick mode message #2 (DONE)" vpntunnel=Lol vpntype=ipsec
8/9/2023 6:15:15 PM Notice VPN id=96560 msg="VPN tunnel status" vpnstate=connected vpntype=ipsec
8/9/2023 6:15:16 PM Notice VPN date=2023-08-09 time=18:15:15 logver=1 type=traffic level=notice sessionid=40084692 hostname=ID1 pcdomain= uid=766A3C7F9C0B464492A0A267D11DBB90 devid=FCT8003202609364 fgtserial=N/A emsserial=N/A regip=N/A srcname=ipsec srcproduct=N/A srcip=10.64.96.34 srcport=N/A direction=outbound dstip=x.x.x.x remotename=N/A dstport=4500 user=User1 proto=6 rcvdbyte=N/A sentbyte=13056 utmaction=passthrough utmevent=vpn threat=connect vd=N/A fctver=5.4.2.0860 os="Microsoft Windows 10 Enterprise Edition, 64-bit (build 22621)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A

I tried allowing port 4500 but still the same results

viragomann · Aug 9, 2023, 5:00 PM

@phoenixfsense
These log seem to be from different devices.

Did you any mess with the outbound NAT on pfSense?

michmoor · Aug 9, 2023, 5:42 PM

@phoenixfsense Im not really seeing a problem. The 192.168.0.102 device connected fine.
Your 192.168.88.10 seems to have trouble.
Thats on a separate VLAN? If so does that any the same access rules as 192.168.0.102

This is why i asked you to review the firewall rules. Something is clearly different here in your setup.

phoenixfsense · Aug 9, 2023, 6:11 PM

@viragomann

Ok Its the same device- the reason why you see two defirent IP address is because I have to bypass the Pfsense or use a mobile router.

Outbound NAT : Mode Automatic

viragomann · Aug 9, 2023, 6:16 PM

@phoenixfsense
I expect that the IPSec client use port 4500 for NAT traversal.
So I'm wondering, why the not working log shows port 500, but the working shows 4500.

michmoor · Aug 9, 2023, 6:37 PM

Just curious but if you do a WAN side packet capture do you see packets going to your companys vpn gateway?
If so there is something they are seeing and not liking.
Unfortunately the logs on the client arent very verbose.

phoenixfsense · Oct 8, 2024, 6:37 PM

@michmoor
If that is the case then it would mean that the issue is on the pfsense.
This is easy to believe because both my 5G and Mobile LTE are on the same provider.

fallmtl67 · Oct 8, 2024, 6:37 PM

@phoenixfsense I know it's been a while but I'm experiencing the same issue. I was wondering if you were ever able to resolve the issue and what you did? Thanks.