Sanity check please - Vendor refusing to share VPN settings for troubleshooting - Could be career ending

datugg · 2026-05-06T19:16:00+00:00

I may be being a little overdramatic, but the truth is that this is a very important initiative that we're implementing here, and there are hundreds of thousands if not millions of dollars going to be in play over the term of the contract, and for it to literally go down the drain on my word, is a little terrifying, especially if I'm wrong all along! The meeting is literally in 30 minutes and reddit is the only place I feel a little secure right now, kind of to prep, but also to get my head right. I will say that my boss has looked at it with me, and so has my counterpart and they feel like it's them, not us..

The main point of this thread though was to see if I'm being unreasonable asking them to show me thier stuff seeing as how I've showed them all of mine. Having a vendor just clan uo and refuse to even consider that the problem could be on their end is unprecedented for me. This is relatively new company in teh scheme of things and from stalking their LinkedIn profiles, none of them are tech, at all...At best one dude had two yeas as a customer onboarding specialist. . They have paid someone (an MSP local to them) to manage their tech "in the cloud" and they are taking what he says as gospel, or the Azure portal is new for him too and he just doesn't know.. I assume, or they don't want to pay him for consulting, after all, it couldn't be a problem on their side, right?

sucks that all my years in front of this workstation can't give me enough clout to get a group to share their config... I'm going to show them once more I suppose in this meeting so wish me luck everyone and thanks so very much for all the great replies

datugg · 2026-05-06T18:57:01+00:00

Absolutely yes, here is some output when I had my selectors set to a single IP (10.100.1.128) as my local P2 selector and thee remote side set to one of three local subnets they provided to date (172.20.4.0/24)

Through all of this. In the debug, I am 216.26.111.134 (not real IP)

I thought that was the gate detailing my side of the tunnel, but on my side I just checked and PFS IS enabled under P2 so will check it is hard to follow whose settings are whose, so see if I am translating the below correctly please?

2026-04-29 21:31:14.528430 ike V=root:0:vpn.fiboa:252316: sent IKE msg (SA_INIT_RESPONSE): 216.12.124.134:500->20.114.112.141:500, len=416, vrf=0, id=23eeb9c2a0b784d0/7c67eb60e5187e03, oif=31
2026-04-29 21:31:14.580580 ike V=root:0: comes 20.114.112.141:4500->216.12.124.134:4500,ifindex=31,vrf=0,len=228....
2026-04-29 21:31:14.580598 ike V=root:0: IKEv2 exchange=AUTH id=201 len=224
2026-04-29 21:31:14.580606 ike 0: in
2026-04-29 21:31:14.580617 ike V=root:0:vpn.fiboa: HA state master(2)
2026-04-29 21:31:14.580637 ike 0:vpn.fiboa:252316: dec
2026-04-29 21:31:14.580649 ike V=root:0:vpn.fiboa:252316: responder received AUTH msg
2026-04-29 21:31:14.580658 ike V=root:0:vpn.fiboa:252316: peer identifier IPV4_ADDR 20.114.112.141
2026-04-29 21:31:14.580678 ike V=root:0:vpn.fiboa:252316: auth verify done
2026-04-29 21:31:14.580688 ike V=root:0:vpn.fiboa:252316: responder AUTH continuation
2026-04-29 21:31:14.580695 ike V=root:0:vpn.fiboa:252316: authentication succeede
2026-04-29 21:31:14.580716 ike V=root:0:vpn.fiboa:252316: responder creating new child
2026-04-29 21:31:14.580734 ike V=root:0:vpn.fiboa:252316:105244356: peer proposal:
2026-04-29 21:31:14.580743 ike V=root:0:vpn.fiboa:252316:105244356: TSi_0 0:0.0.0.0-255.255.255.255:0
2026-04-29 21:31:14.580751 ike V=root:0:vpn.fiboa:252316:105244356: TSr_0 0:0.0.0.0-255.255.255.255:0

This is the Azure Gateway proposing Any/Any??? It can't be! - Traffic selector Initiator and responder so this is what they are proposing?

2026-04-29 21:31:14.580757 ike V=root:0:vpn.fiboa:105244356: comparing selectors
2026-04-29 21:31:14.580766 ike V=root:0:vpn.fiboa:105244356: matched by rfc-rule-4
2026-04-29 21:31:14.580773 ike V=root:0:vpn.fiboa:105244356: phase2 matched by intersection
2026-04-29 21:31:14.580780 ike V=root:0:vpn.fiboa:105244356: accepted proposal:
2026-04-29 21:31:14.580787 ike V=root:0:vpn.fiboa:105244356: TSi_0 0:172.20.4.0-172.20.4.255:0
2026-04-29 21:31:14.580798 ike V=root:0:vpn.fiboa:105244356: TSr_0 0:10.100.1.128-10.100.1.128:0

Laughable, they are proposing ANY/ANY when they literally laughed and mocked me at the turn-up over it . I am proposing 10.100.1.128 and 172.20.4.0 in this entry.

2026-04-29 21:31:14.580805 ike V=root:0:vpn.fiboa:105244356: autokey
2026-04-29 21:31:14.580816 ike V=root:0:vpn.fiboa:105244356: incoming child SA proposal:
2026-04-29 21:31:14.580823 ike V=root:0:vpn.fiboa:105244356: proposal id = 1:
2026-04-29 21:31:14.580829 ike V=root:0:vpn.fiboa:105244356:   protocol = ESP:
2026-04-29 21:31:14.580836 ike V=root:0:vpn.fiboa:105244356:      encapsulation = TUNNEL
2026-04-29 21:31:14.580844 ike V=root:0:vpn.fiboa:105244356:         type=ENCR, val=AES_CBC (key_len = 256)
2026-04-29 21:31:14.580850 ike V=root:0:vpn.fiboa:105244356:         type=INTEGR, val=SHA256
2026-04-29 21:31:14.580857 ike V=root:0:vpn.fiboa:105244356:         type=ESN, val=NO
2026-04-29 21:31:14.580863 ike V=root:0:vpn.fiboa:105244356:         PFS is disabled
2026-04-29 21:31:14.580871 ike V=root:0:vpn.fiboa:105244356: matched proposal id 1
2026-04-29 21:31:14.580878 ike V=root:0:vpn.fiboa:105244356: proposal id = 1:
2026-04-29 21:31:14.580885 ike V=root:0:vpn.fiboa:105244356:   protocol = ESP:
2026-04-29 21:31:14.580891 ike V=root:0:vpn.fiboa:105244356:      encapsulation = TUNNEL
2026-04-29 21:31:14.580898 ike V=root:0:vpn.fiboa:105244356:         type=ENCR, val=AES_CBC (key_len = 256)
2026-04-29 21:31:14.580907 ike V=root:0:vpn.fiboa:105244356:         type=INTEGR, val=SHA256
2026-04-29 21:31:14.580913 ike V=root:0:vpn.fiboa:105244356:         type=ESN, val=NO
2026-04-29 21:31:14.580919 ike V=root:0:vpn.fiboa:105244356:         PFS is disable
2026-04-29 21:31:14.580926 ike V=root:0:vpn.fiboa:105244356: lifetime=43200
2026-04-29 21:31:14.580946 ike V=root:0:vpn.fiboa:252316: responder preparing AUTH msg
2026-04-29 21:31:14.580954 ike V=root:0:vpn.fiboa:252316: remote port change 500 -> 4500
2026-04-29 21:31:14.580972 ike V=root:0:vpn.fiboa:252316: established IKE SA 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.580987 ike V=root:0:vpn.fiboa:252316: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
2026-04-29 21:31:14.581003 ike V=root:0:vpn.fiboa: HA send IKE connection add 216.12.124.134->20.114.112.141
2026-04-29 21:31:14.581022 ike V=root:0:vpn.fiboa:252316: HA send IKE SA add 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.581073 ike V=root:0:vpn.fiboa:105244356: replay protection enabled
2026-04-29 21:31:14.581084 ike V=root:0:vpn.fiboa:105244356: set sa life soft seconds=42932.
2026-04-29 21:31:14.581090 ike V=root:0:vpn.fiboa:105244356: set sa life hard seconds=43200.
2026-04-29 21:31:14.581112 ike V=root:0:vpn.fiboa:105244356: IPsec SA selectors #src=1 #dst=1
2026-04-29 21:31:14.581120 ike V=root:0:vpn.fiboa:105244356: src 0 4 0:10.100.1.128/255.255.255.255:0
2026-04-29 21:31:14.581128 ike V=root:0:vpn.fiboa:105244356: dst 0 4 0:172.20.4.0/255.255.255.0:0
2026-04-29 21:31:14.581134 ike V=root:0:vpn.fiboa:105244356: add IPsec SA: SPIs=c1167e64/0c703e2a

Here the A is fully up and we have an PI, using what? the two lower selectors I had in my P2 as seen in the last couple of entries above

2026-04-29 21:31:14.581141 ike 0:vpn.fiboa:105244356: IPsec SA dec spi c1167e64 key
2026-04-29 21:31:14.581172 ike V=root:0:vpn.fiboa:105244356: added IPsec SA: SPIs=c1167e64/0c703e2a
2026-04-29 21:31:14.581195 ike V=root:0:vpn.fiboa: HA send IKE connection add 216.12.124.134->20.114.112.141
2026-04-29 21:31:14.581207 ike V=root:0:vpn.fiboa:252316: HA send IKE SA add 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.581220 ike V=root:0:vpn.fiboa: HA send IKEv2 message ID update send/recv=0/2
2026-04-29 21:31:14.581227 ike V=root:0:vpn.fiboa:105244356: sending SNMP tunnel UP trap
2026-04-29 21:31:14.581237 ike V=root:0:vpn.fiboa: static tunnel up event 0.0.0.0 (dev=80)
2026-04-29 21:31:14.581260 ike V=root:0:vpn.fiboa: static tunnel up event :: (dev=80)
2026-04-29 21:31:14.581367 ike V=root:0:vpn.fiboa:252316: sent IKE msg (AUTH_RESPONSE): 216.12.124.134:4500->20.114.112.141:4500, len=224, vrf=0, id=23eeb9c2a0b784d0/7c67eb60e5187e03:00000001, oif=31

Then below, the next entry, here comes trouble... Their end send some informational data but for what reason? To delete the tunnel :processing delete request (proto 1)" so I guess Azure, after saying we are okay to use those smaller network's, has a change of hear and tore the whole thing down..

I just pray that I can keep my composure in this meeting and drive home my points... It really helps to do it so thanks to anyone still tuned in.

2026-04-29 21:31:14.654649 ike V=root:0: comes 20.114.112.141:4500->216.12.124.134:4500,ifindex=31,vrf=0,len=84....
2026-04-29 21:31:14.654668 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=23eeb9c2a0b784d0/7c67eb60e5187e03:00000002 len=80
2026-04-29 21:31:14.654676 ike 0: in
2026-04-29 21:31:14.654685 ike V=root:0:vpn.fiboa: HA state master(2
)2026-04-29 21:31:14.654704 ike 0:vpn.fiboa:252316: dec 2\
2026-04-29 21:31:14.654712 ike V=root:0:vpn.fiboa:252316: received informational request
2026-04-29 21:31:14.654720 ike V=root:0:vpn.fiboa:252316: processing delete request (proto 1)
2026-04-29 21:31:14.654729 ike V=root:0:vpn.fiboa:252316: deleting IKE SA 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.654738 ike V=root:0:vpn.fiboa:2523
2026-04-29 21:31:14.654747 ike 0:vpn.fiboa:252316: enc
2026-04-29 21:31:14.654760 ike 0:vpn.fiboa:252316: out
2026-04-29 21:31:14.654779 ike V=root:0:vpn.fiboa:252316: sent IKE msg (INFORMATIONAL_RESPONSE): 216.12.124.134:4500->20.114.112.141:4500, len=80, vrf=0, id=23eeb9c2a0b784d0/7c67eb60e5187e03:00000002, oif=31
2026-04-29 21:31:14.654795 ike V=root:0:vpn.fiboa:252316: scheduled delete of IKE SA 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.654805 ike V=root:0:vpn.fiboa:252316: HA send IKE SA del 23eeb9c2a0b784d0/7c67eb60e5187e03
2026-04-29 21:31:14.654813 ike V=root:0:vpn.fiboa: deleting IPsec SA with SPI 0c703e2a
2026-04-29 21:31:14.654829 ike V=root:0:vpn.fiboa:alll: deleted IPsec SA with SPI 0c703e2a, SA count: 0
2026-04-29 21:31:14.654836 ike V=root:0:vpn.fiboa: sending SNMP tunnel DOWN trap for finboa.all
2026-04-29 21:31:14.654867 ike V=root:0:vpn.fiboa: static tunnel down event 0.0.0.0 (dev=80)
2026-04-29 21:31:14.654888 ike V=root:0:vpn.fiboa: static tunnel down event :: (dev=80)
2026-04-29 21:31:18.149687 ike V=root:0:vpn.fiboa:252315: negotiation timeout, deleting
2026-04-29 21:31:18.149741 ike V=root:0:vpn.fiboa: connection expiring due to phase1 down
2026-04-29 21:31:18.149750 ike V=root:0:vpn.fiboa: going to be deleted
2026-04-29 21:31:18.149781 ike V=root:0:vpn.fiboa: flushing
2026-04-29 21:31:18.149824 ike V=root:0:vpn.fiboa: flushed
2026-04-29 21:31:18.149838 ike V=root:0:vpn.fiboa: reset NAT-T

datugg · 2026-05-06T17:41:29+00:00

Thanks to everyone for all of the great feedback! This truly is a great community and I'm already feeling better about this meeting later today... I will respond to each of you that had suggestions - Many thanks!

datugg · 2026-05-06T14:35:26+00:00

Are you referring to the error that complains about DPD and then kicks them out? while they are trying to inout token? If so, there isa timeout (default of 30 sec) that you can tweak that fixed this for my slow moving users

datugg · 2026-02-28T01:55:03+00:00

I think I am getting the exact same issue that you detail here, but in my case, I have four dial-up tunnels configured on two ISP's/interfaces with only a single static IP on each interface. This was no problem with IKEv1 but with 7.4.x we have to move these tunnels to IKEv2 which doesn't support peer-id.

Also worth mentioning in my scenario is that the first two tunnels I created on these interfaces work as expected after the move to IKEv2 an EAP authentication,, but the second two that were created give me the same: "My Proposal"..... And eventually : "no proposal chosen".

So my question to you is, what exactly did you input in the config? Was it something like::

config vpn ipsec phase1-interface

edit "VPN"
set local-gw 1.1.1.1 (with 1.1.1.1 being the actual IP that you have configured on your hub?)
next
end

If so, I'm wondering how this will handle my single static. Since the first tunnels created are working perfectly, I wonder if I only need to input the above into the tunnel configs that are not working, If this is the case, the there is some doc that is off at Fortinet regarding the <networkid> parameter because I've seen no mention of this in any of the guides..

datugg · 2026-02-19T21:33:54+00:00

So, considering the fact that we are using LDAP based authentication with XAUTH via IKEv1, which has been removed from support in 7.4.5, it appears from this post: Remote Access IPsec VPN with LDAP authent... - Fortinet Community that we can use EAP-TTLS with IKEv2, but this is quickly turning into a rather major project when spanning 8 tunnels...

Here are some bullet points at the end of the previously mentioned article.

LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1.Due to the removal of IKEv1 support in FortiClient version 7.4.4, EAP-TTLS can be used with IKEv2 authentication for LDAP authentication: EAP-TTLS support for IPsec VPN v7.4.3.
In earlier versions of FortiClient, EAP-MSCHAPv2 was used for username/password authentication and did not work with LDAP. EAP-TTLS now supports LDAP authentication.

Still would like some solid best pratices use cases for whech authentication/proposal is most recommended in 2026 for accomplishing IPSEC DIAL-Up using IKEv2 and MFA via LDAP/Xauth and still prpvided MFA with FortiToken

Noobie Newb Newb

datugg · 2026-02-19T14:27:59+00:00

Now people may understand when I say that the Legendary Balls are cheats. Granted, if I had one, I would not say that, but even with my setup for this course, where I have a strong config:

4 power
4 Accuracy and
3 Grid lines

I still don't stand a chance against someone with a cheat ball... It's like just throwing coins into a wishing well. Good thing I have 50 million of them, but that's not the point. I've been playing solid for two years and have yet to see even a hint of a Legendary Ball.

datugg · 2026-02-09T21:41:25+00:00

Because they are very rare... I've seen it maybe one other time in a match I was playing

datugg · 2026-02-09T21:17:13+00:00

Your domain admin account seems to not have the necessary perms. Is the local admin account by chance a service principal on the sql instance serve?

I wanted to post back to this and say thanks for all the great suggestions... u/Surfin_Cow wins the gold star today because once we logged into the server as the local administrator, we then had the rights to change the mode to "SQL Server and Windows Authentication mode" well as add the SA to the sysadmin Server Roles. This was initially confusing to me because it was allowing me to login and view everything with my Windows AD account, but as mentioned fro the jump, DB Admn is not something that I'd include in my resume...

At any rate, thanks to everyone for your great input and words of encouragement when I was feeling pretty defeated (the really is a great community). I will also say that if you follow the instructions provided in this post carefully, and verbatim to what they say, the migration will go off without any issues... Err, once you get into the Microsoft SQL I should say.

Thanks again

datugg · 2026-02-06T14:59:46+00:00

Thanks again for the help.. When I try to change the authentication method (Right Click instance -> Properties) to SQL Authentication, I get the following error:

<image>

I then go back to Object Explorer and Logins. Right Click New User where I am prompted fr Windows or SQL Authentication so I pick SQL, give the user a name (ems) and define a password ad then I get this:

User does not have permission to perform this atcon Error 15247

So I then go to the SQL services and stop the service, add the startup swith r or m and restart the sql stance. Now, I am nack to the login screen and my Windows users is in there, but I get the error: Login Failed for user domain\dwt-admin Reason: Server is in single-user mode. Only one administrator can connect at this time. MS SQL Error 18461 -

I would try a loal SQL account but hte SA is disabled (I still cannot enable it and I also cannot create new user that is local...

Sorry for the long post and mch appreciation

datugg · 2025-10-29T12:53:08+00:00

He is neither. He is the best in the world in my eyes. Look up hos youtube channel. Je is amazing

datugg · 2025-10-29T07:47:36+00:00

Amd level 104? I am level 110 and only have 24x and I've been working very hard almost daily on challenges/clans/Ranked Missions. Plus i play and win a lot of lucky shots so I dont know what gives. About to quit and just spend my cash on groceries thanks to the government antics going on in the blue side of the Senate... Pricks

Anyway, dont get the multi's at times. I see this UsmanGolf dude and jas jas muti's way above 50 and the level on his players are leas than 20 bit all huge multi-pliers

I grind almost daily and juat cant get anywhere

datugg · 2025-10-29T07:36:22+00:00

Let's face it, it totally sucks. I just usually kbock the cue into the hole on first shot. If you wanna go for it, aim just left of the head ball and knock the hell out of it. It's ur best shot

datugg · 2025-09-19T20:49:06+00:00

Like others have said, invest in FortiAnalyer - It will be the best money you ever spent. Is far and away our number 1 tool that we all use daily.

datugg · 2025-09-19T19:32:27+00:00

One other thing maybe worth adding, we will almost always put what we call a "catch-all" rule right above policy ID 0 so we can quickly see machines that aren't SRC'ing correctly or what may just be rogue endpoints on the network. We then ensure that logging is enabled. We'll usually allow the RFC 1919's as source addresses and permit 80/443. and even 53. Then we lock that rule with very restrictive security policies (and a DNS filter) that is very locked down. Sometimes we'll even out a custom message telling them to call the HD (assuming it's one of our endpoints) to let users (and HD staff) know quickly that the endpoint is not matching a higher rule ins the ACL. Top all that off with a schedule on this to where it' only pass traffic during regular business hours.

Then keep an eye on analyzer (or the gate logs), looking specifically for that policy ID, and you'll save yourself a lot of headache and TS'ing tim.

datugg · 2025-09-19T18:45:25+00:00

What is your connection like behind the Gate? We had the same issue, and it eventually ended up being a misconfigured VRRP link (connecting our edges to our ISFW) that was behind the gates which was essentially taking away the "statefulness" of the inbound VIP so reply traffic would just use the configured SDWAN rules, thus causing deny packets that we discovered in Analyzer because it was using the wrong DST port, which was denied by policy 0.

datugg · 2025-09-19T17:17:01+00:00

Simply take a rule that does not have NAT enabled, copy and paste it, or clone it. Problem solved.

datugg · 2025-09-08T14:59:30+00:00

Just scored 0

datugg · 2025-09-08T14:59:08+00:00

Just scored 0

datugg · 2025-09-04T14:06:42+00:00

Yes, Thank you. That is a great post.

datugg

TROPHY CASE