Skip to main content
Horazon
Horazon
New Member
May 6, 2015
Solved

Fortigate 80CM IPSec VPN troubles

  • May 6, 2015
  • 5 replies
  • 6523 views

Hi,

i've trouble creating a L2TP/IPSec VPN on our Fortigate(FW 5.2.2,build642) If i use the wizard (Dialup - Android (Native L2TP/IPsec), i cannot select the WAN Interface as incoming Interface.

There is only DMZ and INTERNAL available (the fortigate is in Switch-mode).

Selecting the iOS (Native) wizard, the WAN Interfaces are available (we use load-balancing).

 

My VPN menu also looks different to the pictures in the documents (i've no "Auto Key(IKE)" option / the "Policy-based IPsec VPN" Feature is enabled).

 

I've also tried to create the tunnel via CLI, but i got a error at "set interface wan1".

Is it because the fortigate is in Switch-mode?

 

Hope you can help me.

 

regards

Juergen

 

Best answer by Horazon

Hi,

the output of diag sys checkused System.interface.Name wan1 is:

 

HQ-gw01 # diag sys checkused system.interface.name wan1
 
entry used by table system.interface:name 'DE' 
entry used by table system.interface:name 'test' 
entry used by child table dashboard:id '9' of entry used by child table dashboard:id '10' of entry used by child table dashboard:id '11' of table system.admin:name 'admin' 
entry used by child table dashboard:id '10' of table system.admin:name 'm.graf' 
entry used by child table source-interface:name 'wan1' of complex vpn.ssl.settings:source-interface.name 
entry used by table vpn.ipsec.phase1-interface:name 'DE' 
entry used by table vpn.ipsec.phase1-interface:name 'test' 
entry used by child table members:seq-num '3' of complex system.virtual-wan-link:members.interface 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_HTTPs' 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTP' 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTPs' 
entry used by table firewall.vipgrp:name '[WAN1]HQ-svMX01'

 

test = my test L2TP VPN via "custom VPN tunnel(no Template)" DE = our site-to-site tunnel to our Office in Germany.

 

thanks for the tip with the old bug.

5 replies

Christopher_McMullan
Staff
Christopher_McMullan
Staff
May 6, 2015

Switch mode shouldn't affect the WAN interfaces by default.

 

Are there already other tunnels bound to the WAN ports, or other settings that might affect their use for an L2TP/IPSec tunnel?

Horazon
HorazonAuthor
New Member
May 12, 2015

Hi,

there is a Site to Site tunnel active to our office in Germany.

And we use currently SSL VPN (which should be replaced by the L2TP VPN).

We've two Internet Connections and they are combined via load-balancing, both, the SSL VPN and the Site-to-Site VPN are connected to WAN1. So, WAN2 is free but it is also not available.

 

Juergen

Christopher_McMullan
Staff
Christopher_McMullan
Staff
May 12, 2015

I would open a ticket with TAC to get the widest possible context around what is binding the interfaces in a way they are unavailable for terminating the new tunnel.

 

Run this command, and include the output in the case:

diag sys checkused system.interface.name wan1

emnoc
emnoc
New Member
May 13, 2015

we use load-balancing

 

FWIW: I think  this goes back to old bug related to vpn wan interface selection when your using a virtual-wan interface. If you search in the forti beta forum or vpn you will find many references to this limitation.

 

 

 

Horazon
HorazonAuthorAnswer
New Member
May 13, 2015

Hi,

the output of diag sys checkused System.interface.Name wan1 is:

 

HQ-gw01 # diag sys checkused system.interface.name wan1
 
entry used by table system.interface:name 'DE' 
entry used by table system.interface:name 'test' 
entry used by child table dashboard:id '9' of entry used by child table dashboard:id '10' of entry used by child table dashboard:id '11' of table system.admin:name 'admin' 
entry used by child table dashboard:id '10' of table system.admin:name 'm.graf' 
entry used by child table source-interface:name 'wan1' of complex vpn.ssl.settings:source-interface.name 
entry used by table vpn.ipsec.phase1-interface:name 'DE' 
entry used by table vpn.ipsec.phase1-interface:name 'test' 
entry used by child table members:seq-num '3' of complex system.virtual-wan-link:members.interface 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_HTTPs' 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTP' 
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTPs' 
entry used by table firewall.vipgrp:name '[WAN1]HQ-svMX01'

 

test = my test L2TP VPN via "custom VPN tunnel(no Template)" DE = our site-to-site tunnel to our Office in Germany.

 

thanks for the tip with the old bug.

Terms & ConditionsAccessibility statement