fortinet router and 9608

[Trems]

Here are my settings..Not sure what we are missing. We are failing on Phase 1, I took out all IP's and passwords here but they all match

Phone:

VPN Vendor: other
Gateway Address: xxx.xxx.xxx.xxx
Encapsulation 4500-4500
Copy TOS: no
PSK with Xauth
User: Phone1
Password: XXXXXX
IKE ID: Phone
PSK: XXXXXXXX
IKE Phase 1
IKE ID Type: User_FQDN
IKE Exchange Mode: Aggressive
IKE DH Group: 2
IKE Encryption: 3 DES
IKE Auth: SHA-1
IKE Config Mode: Disabled
IKE Phase 2
IKE DH Group: 2
IKE Encryption: 3 DES
IKE Auth: SHA-1
Protected Network: xxx.xxx.xxx.xxx/24
IKE Over TCP: Never

Fortinet
config vpn ipsec phase1-interface
edit "Phones"
set type dynamic
set interface "Outside"
set ip-version 4
set ike-version 1
set local-gw xxx.xxx.xxx.xxx
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype one
set mode-cfg enable
set ipv4-dns-server1 xxx.xxx.xxx.xxx.
set ipv4-dns-server2 xxx.xxx.xxx.xxx.
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal 3des-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 2
set wizard-type custom
set xauthtype auto
set authusrgrp "VPN_Phones"
set peerid "Phone"
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set mode-cfg-ip-version 4
set assign-ip-from range
set ipv4-start-ip xxx.xxx.xxx.xxx
set ipv4-end-ip xxx.xxx.xxx.xxx
set ipv4-netmask 255.255.255.255
set dns-mode manual
set ipv4-split-include "Avaya Voice Subnet"
set split-include-service ''
set unity-support enable
set domain ""
set banner ''
set include-local-lan disable
set save-password disable
set client-auto-negotiate disable
set client-keep-alive disable
set psksecret 123456
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set xauthexpire on-disconnect
next
end

config user group
edit "VPN_Phones"
set member "phone1" "phone2" "phone3" "Phone1"
next
end

 

[ogTOKYO]

IKE ID Type, try using KEY_ID and set IKE Conf to Enabled.

That should get you going, worked for me.

______________________
|........................................|
|.....i.eat.bunny.children......|
|______________________|
(\__/) ||
(•Y•). ||
/ < )<||

 

[Trems]

Unfortunately that did not work.

 

[ogTOKYO]

You're failing in P1, so you only have to worry about the first portion of an IPSEC connection; which is authentication, the handshake. Be sure to triple check VPN user, group and both pw; as all are used for this part.

I have a client template that I focus on when setting up VPN (IPsec) phone for them. To get IPSEC P1 working, you need the following:

VPN - Enabled
VPN Vendor - Other
GW Addr - x.x.x.x
extr ph. ip - x.x.x.x
extr router - x.x.x.x
Auth type - psk w/ xauth
VPN user: asdasdasd
User PW: adasdasdasd
IKE ID: asdasdasd
PSK key: asdasdasdasdadasd
=======PHASE 1=======
IKE ID type: KEY_ID
IKE Xchg mode: Aggressive
IKE DH GRP: 2
IKE Encryp: 3DES
IKE Auth: SHA-1
IKE Conf: En
=======PHASE 2=======
PFS DH GRP: 2
IPsec Encryp: 3DES
IPsec Auth: SHA-1
Protect Netwrk: 0.0../0
IKE ovr TCP: Au


Disable other VPNs if you are able to, helps remove verbose BS from the logs.


______________________
|........................................|
|.....i.eat.bunny.children......|
|______________________|
(\__/) ||
(•Y•). ||
/ < )<||