Skip to main content
Georges_Orwell
Georges_Orwell
New Member
September 15, 2014
Solved

Delete Tunnels

  • September 15, 2014
  • 9 replies
  • 84142 views
Hello all, I just created site to site tunnel to trainning but now i can' t delete it. Can you help me? Fortigate 200D Forti OS 5.2. Thank you Georges Orwell
    Best answer by FortiAdam
    I find that the best way to discover references is by going to system > network > interfaces and enabling the references column. Common references include routes, firewall objects, firewall policies, and phase-2 vpn objects. For some reason when you view references from VPN > IP Sec > IKE it doesn' t always show all references (at least in 5.0.x).

    9 replies

    jorge9090
    jorge9090
    New Member
    September 15, 2014
    Is the tunnel interface-mode? or policy mode? There must be a policy or a route referencing that tunnel and it won' t let you delete it unless you delete those first. You can see this on the VPN > IP Sec > Auto Key (IKE) in the GUI. Try again when the Ref. is 0. Delete the Phase 2 first, then Phase 1.
    FortiAdam
    FortiAdamAnswer
    New Member
    September 15, 2014
    I find that the best way to discover references is by going to system > network > interfaces and enabling the references column. Common references include routes, firewall objects, firewall policies, and phase-2 vpn objects. For some reason when you view references from VPN > IP Sec > IKE it doesn' t always show all references (at least in 5.0.x).
    hklb
    hklb
    Visitor III
    September 15, 2014
    Or maybe you add a IP address on your VPN interface..? If you don' t find the reference, you can backup your configuration and search the VPN interface name in your configuration.
    Georges_Orwell
    Georges_OrwellAuthor
    New Member
    September 15, 2014
    I don' t know what is difference between policy mode and interface mode. I' m newbees.
    hklb
    hklb
    Visitor III
    September 15, 2014
    Add the colomn " ref" and you will see how it is used (on the right, you will see a number. Clic on it and you will the the reference)
    Georges_Orwell
    Georges_OrwellAuthor
    New Member
    September 15, 2014
    Thank you for your response. I found the reference and the sub interface that is created. But can' t never delete this vpn site to site config...
    hklb
    hklb
    Visitor III
    September 15, 2014
    delete phase 2 : in CLI : config vpn ipsec phase2-interface delete YouPhase2 normally, you shoud able to delete your Phase1.
    Georges_Orwell
    Georges_OrwellAuthor
    New Member
    September 15, 2014
    Thanks hklb, i removed all phase2 as you say me. But in the GUI i' m not able to delete all tunnels. Any other idea ? Georges
    Christopher_McMullan
    Staff
    Christopher_McMullan
    Staff
    September 15, 2014
    IPSec VPNs can be referenced by: -Phase 2 SAs -address objects -VIPs -DHCP server scopes (for client dial-up tunnels) -routes In your case, I' d ensure there are no remaining static routes as the most obvious possibility. In the GUI: Router > Static > Static, or if the Advanced Routing feature is disabled, then System > Network > Routes (from memory). In the CLI: sh router static
    Georges_Orwell
    Georges_OrwellAuthor
    New Member
    September 15, 2014
    Finaly found route then i deleted it. after I was able to remove tunnels Thank you for your help
    __innit__
    __innit__
    New Member
    February 15, 2018

    A ping from host in subnet 192.168.206.0/24 to a host in subnet 192.168.203.0/24 is not generating any logs, and the VPN is down:

     

    Fortinet17 # get system arp Address Age(min) Hardware Addr Interface 192.168.206.254 1 00:50:00:00:13:00 port2 192.168.10.2 0 00:50:00:00:01:00 port3 60.60.60.1 0 aa:bb:cc:00:60:20 port1

    Fortinet17 # show sys interface config system interface edit "port1" set vdom "root" set ip 60.60.60.2 255.255.255.0 set allowaccess ping https ssh http set type physical set description "outside" set alias "outside" set role wan set snmp-index 1 next edit "port2" set vdom "root" set ip 192.168.206.1 255.255.255.0 set allowaccess ping set type physical set description "LAN_192.168.206.0_24" set alias "LAN_192.168.206.0_24" set role lan set snmp-index 2 next edit "port3" set vdom "root" set ip 192.168.10.5 255.255.255.0 set allowaccess http set type physical set snmp-index 3 next edit "port4" set vdom "root" set type physical set snmp-index 4 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 5 next edit "Peer_2.2.2.1_24" set vdom "root" set type tunnel set snmp-index 6 set interface "port1" next end

    Fortinet17 # show firewall policy config firewall policy edit 2 set name "vpn_Peer_2.2.2.1_24_local" set uuid eb5cb90c-10de-51e8-a82f-f046e583e108 set srcintf "port2" set dstintf "outside" set srcaddr "LAN_192.168.206.0_24" set dstaddr "LAN_192.168.203.0_24" set action accept set schedule "always" set service "ALL" set comments "VPN: Peer_2.2.2.1_24 (Created by VPN wizard)" next edit 3 set name "vpn_Peer_2.2.2.1_24_remote" set uuid eb6041bc-10de-51e8-2863-2c4b98988ea3 set srcintf "outside" set dstintf "port2" set srcaddr "LAN_192.168.203.0_24" set dstaddr "LAN_192.168.206.0_24" set action accept set schedule "always" set service "ALL" set comments "VPN: Peer_2.2.2.1_24 (Created by VPN wizard)" next end

    Terms & ConditionsAccessibility statement