Skip to main content
Wayupnorthguy
Wayupnorthguy
Explorer
October 20, 2022
Solved

IPSEC VPN tunnel only assigning a single IP (only single session works)

  • October 20, 2022
  • 3 replies
  • 8805 views

I have two installations of Fortigate 60F units for remote access.  One is running 6.4.8 and one on 7.0.5

I have IPSEC remote access configurations setup on both and the configs are nearly identical (except for the addressing...same subnetting. Nothing of consequence)
On the 6.4.8 unit I can have multiple dial-in instances each getting an address from the assigned pool.
On the 7.0.5 unit I can only establish a single connection.  I get an address out of the pool but cannot establish additional sessions.  
Both dialer instances are coming from the same office so have the same remote WAN IP.  But that is the same for the working instance.
Phase 1 and phase 2 both come up but phase 2 eventually drops.  I do believe this is related to not obtaining a second IP from the pool but cannot figure out why.

Best answer by Wayupnorthguy

Solved by setting unique Peer IDs for each Tunnel.  Convert to custom tunnel, set authentication  IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match.  Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID

3 replies

distillednetwork
distillednetwork
Explorer II
October 23, 2022

On the 7.0.5 VPN tunnel do you have

set net-device enable 

enabled for the tunnel?  

Wayupnorthguy
WayupnorthguyAuthor
Explorer
October 24, 2022

Just for clarity.  Either of these sites can establish a connection as long as the other site is not connected.  But to answer your question. "set net-device" is disabled on the phase1-interface.  Reading up on this a bit.  Would that need to be enabled on both connections and both ends?  I saw the option to create kernel objects in the GUI config but wasn't sure what that was all about.

 

distillednetwork
distillednetwork
Explorer II
October 24, 2022

Could you post the VPN configuration you have on both sides?   Are you using dynamic or static routing on the tunnels?  

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
October 24, 2022

Hello Wayupnorthguy!

 

Thanks for posting on the Fortinet Community Forum.

 

I found a document that may help :

 

https://www.fortinetguru.com/2017/10/ipsec-troubleshooting/

 

Can you tell me if it helped you please?

 

Kindest regards,

Jean-Philippe - Fortinet Community Team
Wayupnorthguy
WayupnorthguyAuthorAnswer
Explorer
January 7, 2023

Solved by setting unique Peer IDs for each Tunnel.  Convert to custom tunnel, set authentication  IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match.  Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID

Terms & ConditionsAccessibility statement