Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)
With FortiClient, establishment of an SSL-VPN connection to the FortiGate can output the following warning.
Symptom
Ursache
The now outdated cryptographic protocol TLS 1.0 is no longer activated by default as of FortiOS 6.0. It is recommended to use at least TLS 1.1 (Cipher Suites) for authentication and data encryption. We are currently on TLS 1.3 which has been approved by the IETF (Internet Engineering Task Force).
Solution
If you want to continue to use older clients that are only ready for use later with TLS 1.2 or higher in the course of a migration via update rollout, TLS 1.0 can be activated on the FortiGate.
Check the current TLS setting from the FortiGate Console with CLI Command:
1 2 3 4 5 6 7 |
FG60E # get vpn ssl settings | grep tls tlsv1-0 : disable tlsv1-1 : enable tlsv1-2 : enable dtls-hello-timeout : 10 dtls-tunnel : enable |
Activate in the CLI the Cipher Suite TLS 1.0.
1 2 3 |
config vpn ssl settings set tlsv1-0 enable |
The TLS version of the Microsoft Windows snap-in (inetcpl) Internet option can also be adapted for the client.
Hit the key Win + R and enter inetcpl.cpl
In the property window Eigenschaften von Internet – Erweitert, activate TLS Version 1.0, 1.1 and 1.2.
More Solution
With older Windows versions, or with routers with PPPoE Internet connection, errors when establishing SSL-VPN connections can be eliminated as follows.
It appears the FortiClient error message:
Unable to establish the VPN connection. The VPN server may be unreachable (-5)
To do this, check the MTU size of the network interfaces with the following command from an open command prompt
1 2 |
netsh interface ipv4 show subinterface |
The output might look something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\> netsh interface ipv4 show subinterface MTU Medienerkennungsstatus Bytes eingehend Bytes ausgehend Schnittstelle ------ --------------- --------- --------- ------------- 1500 5 0 0 Ethernet 1500 1 598892209 19487894 WiFi 1500 5 0 0 Mobilfunk 1500 1 5248 144442 VMware Network Adapter VMnet1 1500 5 0 0 LAN-Verbindung* 1 1500 1 0 134436 VMware Network Adapter VMnet8 1500 5 0 0 LAN-Verbindung* 5 4294967295 1 0 67869 Loopback Pseudo-Interface 1 1500 5 0 0 Bluetooth-Netzwerkverbindung 1500 5 0 0 Ethernet 3 |
Check the MTU size and adjust to 1400 if necessary. In a command prompt opened as an administrator, with running netsh.
1 2 |
netsh interface ip4 set subinterface Ethernet mtu=1400 store=persistent |
Alternatively, call Regedit and navigate to the following key.
1 2 |
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces |
under the appropriate interface with the appropriate IP address, here {222e135b-d09c-47a3-9236-63a041a02ea6} change the key MTU with the value 578 hexadecimal.
After restarting the computer, the SSL-VPN connection can be established.