Enabling VPN tunnel manually

Forum|Forum|12 years ago
September 25, 2013
7 replies
9588 views

Hi! I have a site to site VPN tunnel. I was able to bring up the tunnel and pass traffic through it. But, when the tunnel goes down when no interesting traffic is passing through, it stays down unless I manually bring up the tunnel. What could be causing this? DPD and keepalive are enabled. Also, my VPN Peer cannot modify their lifetime settings because their firewall is software-based.

rwpatterson

New Member

Welcome to the forums. Depending on the version of firmware, you need to enable auto-negotiate on either the phase 1 (V4MR3 and newer) or phase 2 (V4mr2 and older). The command is

vpn_name #set auto-negotiate enable

It is a CLI only command.

chararatAuthor

New Member

Thanks for your reply. My firmware is MR3V4 but as per checking " set auto-negotiate enable" is already configured.

ede_pfau

SuperUser

Most probably your Quick Mode settings are incorrect. In phase 2, you specify both the subnets on your side and on the remote side. These definitions are part of the SA. There are cases where a mere ' 0.0.0.0/0' might work at first glance but you should really put in the correct subnets. Then, the VPN will build up the tunnel if a packet for the remote subnet is crossing the FGT. Likewise on the other side - if you change the QMs on your side the tunnel will likely fail to come up altogether because of ' QM mismatch' . So you better have someone on the remote side during configuration.

Dipen

New Member

Hi ede_pfacu I have a unique case where I have two distinct subnets at Site 1 [192.168.1.0/24 and 172.16.7.0/24] and two distinct subnets at site 2 [192.168.4.0/24 and 172.16.16.0/24]. How do I configure Quick Mode Settings in this case? Quick Mode settings allow to enter only one Subnet. I want communication between all that subnets ? Do I have to create multiple Phase2 s with all permutations?

ede_pfau

SuperUser

Yes, the regular way would be to create multiple phase2' s. That has the advantage that it would be compatible with any vendor' s equipment on the remote side. Alternatively, you can create address groups, switch the type of address (for source and (!) destination) to " address group" , and select the groups in the QM selectors. Note that you have to use groups for both selectors - not mixed, one as an address and one as a group. Depending on your version of FortiOS these options may only be available in the CLI.

Dipen

New Member

Thanks Ede.... Regarding setting up two Phase2' s I have already tried.. both Phase twos are showing as " UP" in IPSEC Monitor. .However traffic is flowing for only one Policy... Anyways I am going to try the address Groups " funda" tomorrow to see if it works..

chararatAuthor

New Member

Hi Ede, I found out that vpn peer did not specify their local/remote network so I deleted phase 2 and recreate with my Quick Mode Selector set to any. (source and destination = 0.0.0.0/0) My tunnel goes up. Remote host can successfully ping my local host. We stopped sending interesting traffic (tunnel goes down). When we tried sending interesting traffic, it took 7 min before the tunnel goes up. Have you heard about compatibility issue with fortigate fw and amazon vpc?

ede_pfau

SuperUser

If you have DPD enabled like you posted in the beginning then most likely the other side does not have this as well. So the SA has to expire before a new one can be negotiated. IMHO the other side has to tweak their VPN settings a bit to ameliorate the situation. Besides, having ANY in both QMs isn' t such a good idea at all.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded