FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sha-1_FTNT
Staff
Staff
Article Id 191088
Description

Unlike Windows XP IKE daemon, Windows 7 and Vista IKE daemons abort a quick mode negotiation when they receive a RESPONDER-LIFETIME payload.If default FortiOS phase2 lifetime settings are used then quick mode negotiation cannot complete with Windows 7 and Vista.


Scope


Solution
Windows 7 and Vista behaviour makes it mandatory to set the FortiGate phase2 lifetime settings identical to the ones offered by Windows.
config vpn ipsec phase2
edit <phase2_name>
    set keylife-type both
    set keylifekbs 250000
    set keylifeseconds 3600
    next
end

This will ensure that no RESPONDER-LIFETIME payload is sent by the FortiGate and the quick mode negotiation can complete successfully.

The L2TP tunnel can subsequently be negotiated over IPSec.

Contributors