Remote Access IPSec VPN doesn't work on macOS or iPhone

Hi folks,

I’m struggling to get my remote access VPN to work on my FWF-60E running 7.2.8. The goal is to set up clientless dial-up VPN from the native macOS or iOS settings app, no extra software.

Used the “native” - “iOS dialup” method for creating the VPN connection, set up a user and a group. I also specified the user group in the VPN configuration wizard.

Policies and Address Groups were created automatically.

My MacBook is set up as follows

The dialup just times out… Same thing from my Mac as well as from my iPhone. “Server didn’t respond”.

Same steps where also shown in Youtube tutorials. What am I missing?

Thanks.

From screnshots you provided the config is wrong
First apparent thing

1. you don’t specify Gruppenname as your xauth user group to which user belongs.
2. rather on your fortigate under the Authentication section of ike select “specify peer ID” and select whatever identificator eg “111”.
3. And then specify that 111 as Gruppenname
   This is how it works for me

Do you see something in the logs?

Is your FG directly connected to the internet with a public ip address or is your FG located behind a ISP router (double NAT)?

And of course check your logs.

Did you ever solve this? I am noticing the same results on a Mac setup.

This was what I noticed too. OP remove the group name from your Mac client and see if it works.

All i see is a successful IPsec phase1 negotiation. Nothing after that.

Yep, it is connected to the internet via wan1. No other router in between.

All I can see in the logs is a successful phase1 negotiation, nothing after that.

Unfortunately that does not help. Phase1 seems to work correctly.

can you share the p2 settings?

Sure. If I click on the tunnel, there is a template type “Dialup - iOS Native”. To get the P2 settings, I clicked on the the “Convert to custom tunnel” button. So it should be default settings.

These are the settings:

Have you done a debug?

Not yet, was hoping for some simple thing…

I think debugging is the next step. But first, I need to learn some basics, still very new to fortigate…

Are you trying from the same internet connection you are trying to connect to?
And can you share the policies?

That’s the policy which was created automatically:

VLAN_5 is the network where I want the dial up clients to land. No other policies for further internal traffic are there yet, however, this shouldn’t affect the initial VPN dialup, right.

I tried connecting from the internet with a different IP. (switched to my mobile hotspot from my MacBook).

If the split Tunnel is set correctly, you don’t need another policy.

Hi m3rlin31, first of all, thank you for your help.

Today I finally had time again to do some troubleshooting, and what I noticed is that the problem must be after the VPN authentication. If I use a wrong password, I get asked again for a correct password.

The following log entries are created:

Could you tell me what the correct next (debug) steps would be?

What ip addresses is is your client getting from the vpn?

Should be in the range 10.20.5.5-10.20.5.7. However I cannot see an address being assigned to my client. Troubleshooting from iPhone via 5G now, the error message is “No response from server”. But clearly there has to happen some communication, since a wrong password is detected.

another strange thing: I downgraded from 7.4.2 do 7.2.8 to keep the ability to upgrade my FG, because it is unlicensed. Different story… But, in 7.4.2 VPN worked fine. Since I downgraded and configured my FG from scratch, it does not work anymore. Found a backup from a previous date and reconfigured VPN via CLI exactly to the same settings - still doesn’t work!

Just a few things are different now, but they shouldn’t be the error… Just different subnets and different naming in some cases.

configs: