Hi all,

I'm in the process of attempting to set up an IPSec tunnel between two LAN's.

Here's an ASCII diagram (IP's changed):

[D-Link NetDefend
DFL-800 Firewall]
(Public IP1:
|/| <-IPSec Tunnel
(Public IP2:
[Fortinet Fortigate

I've configured both firewalls according to their respective manuals. This has been tricky because both vendors have varied terminology and default settings. There are also some minor variations in what extra options you have at each end.

I've added rules to both firewalls to allow traffic to pass both directions between the LAN and the IPSec interface and I've added routes to both firewalls to direct traffic intended for the remote LAN over the IPSec interface.

Here's a rough list of settings:
Authentication: Pre-shared key
IKE Encryption/Auth proposals: AES256/SHA1
IKE Life Time: 28800 sec
IKE Mode: Main, DH Group 2
IPSec Encryption/Auth proposals: AES256/SHA1
IPSec Life Time: 3600 sec/5120 KB
XAuth: Disabled
Perfect Forward Secrecy: Enabled, DH Group 5
Keep-alive: On (sends pings regularly to keep the tunnel up)

At the moment, I can see the 2 active IKE security authorities (SA's) coming up.

The IPSec tunnel however isn't coming up. The errors I'm getting from the D-Link box are:

2009-07-31 14:42:49	Warning	IPSEC	1803020	ipsec_sa_failed no_ipsec_sa	statusmsg="Timeout"
2009-07-31 14:42:49	Warning	IPSEC	1800109	ike_quickmode_failed	local_ip= remote_ip= cookies=<HEX String Edited Out> reason="Timeout"

Fortigate Errors attached (remove .txt extension).

So the errors look like something to do with IKE, "Quick Mode" failing, but I don't know much else. Any help or suggestions would be highly appreciated.


Perth, Australia

For anyone interested or who runs into the same issue;

It was indeed a "Quick Mode" problem - the Fortigate firewall (LAN2 firewall) required Quick Mode selectors.

The Fortigate settings required based on the example are (0 indicates any/default):

Source Address:
Source port: 0
Destination address:
Destination port: 0
Protocol: 0

I also read some people have had problems with Dead Peer Detection. For the record, it is enabled in my case and not causing any issues.

The tunnel's up, firewall hardened and everything working now, so I'm happy.

Hope this relieves someone of the headache I had.

I had almost exactly the same problem and this solved my problem - Thank You!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.