FortiGate and iPad dial-up VPN IPsec phase 2 error: no matching gateway for new request

This is a repost of a post from an old blog, made on July 12, 2012, that used to be on:

http://wp.me/p25nt4-6A

http://adminramble.com/fortigate-ipad-dial-up-vpn-ipsec-phase-2-error-matching-gateway-request/

Original post:

I was asked at work to connect the iPad of one of the employees to our company VPN on FortiGate and it took me some time to set it up right.

I was always getting “The VPN server did not respond” message on the iPad when trying to connect to the IPsec VPN. At the same time the log on the FortiGate would get IPsec phase 2 error messages with negotiate_error as Status and “no matching gateway for new request” as error reason.

After some searching on Google it turned out to be the problem with the peer ID settings on FortiGate and Group Name settings on iPad, they were not matched.

The group name on the iPad must match the peer ID on FortiGate, In my case that meant that my group name on iPad had to be the same as the username, because on Fortigate I had set the IPsec Phase 1 to accept peer ID from the dialup group.

So if you are having problems with setting the IPsec VPN between iPad or iPhone and FortiGate, and are having the same errors as me try one of these as solution:

  • either change your Phase 1 so it accepts any peer ID
  • either change your iPad group name in IPsec config to match the username you are using, if your Fortigate is set to accept peer ID in dialup group
  • either set Phase 1 on Fortigate to accept specific peer ID, for example “ipad” and set that as the group name on you iPad

Here is a Fortinet article on setting the iPhone and iPad Dialup User IPSec VPN

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.