Multiple Dialup Clients - Single Remote Gateway
Hoping for some clarity on an issue I am experiencing.
We have a partnership with an organization with 16+ remote sites all over our city. These sites connect to their WAN using 1-2 public IPs at their main office and have no interest in playing nice when it comes to static IP/NAT assignment for us.
I have been tasked with configuring x6 FG-80F (OS 7.0.5) appliances to connect to our FG-100F (OS 7.0.1) at our datacenter
Each “remote site” has its own /28 local subnet, with 4-6 devices connected at each. We will exist inside their network in our own little bubble(s).
Configuring each of these 80Fs as dialup clients with “behind NAT enabled”, I have set the Phase1 with specific Client/Peer IDs, unique Pre-shared Keys, and set Aggressive IKEv1. Phase2 is set with unique named subnets, with the respective /28 network set.
The issue I have is it appears only 1 device will connect at a time – it was my understanding the unique Peer IDs/aggressive mode would resolve this. I have had “luck” tinkering with configs and bringing a second one online at the same time (dumb luck), but a reboot kills the connection and once again, only 1 will reconnect.
Here is the config on one of the remote devices:
config vpn ipsec phase1-interface
edit "Site1-to-DT"
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
next
end
config vpn ipsec phase2-interface
edit "Site1-to-DT"
set phase1name "Site1-to-DT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "Site1-to-DT_local"
set dst-name "Site1-to-DT_remote"
next
end
Here is the config for Site1 on our Main FG-100F
config vpn ipsec phase1-interface
edit "Site1-NAT"
set type dynamic
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Site1-NAT"
set phase1name "Site1-NAT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "DT-Site1_local"
set dst-name "DT-Site1_remote"
next
Debug shows nothing super interesting, other than phase1 cannot be established:
ike 0:Site1-to-DT:0: sent IKE msg (agg_i1send): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:500 negotiating
ike 0:Site1-to-DT:0:Site1-to-DT:0: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:Site1-to-DT:0: out
ike 0:Site1-to-DT:0: sent IKE msg (P1_RETRANSMIT): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT: request is on the queue
I have no packet loss on the Datacenter Fortigate and have verified port 500 traffic is being received from the remote NAT IP.
Turning off the devices and waiting until the key lifetime has expires enables me to bring another device online. Am I missing something here? Is it not possible to have two dialup clients from the same Remote Gateway IP at the same time? It sure does feel like a real-life use case to me.
Other referenced materials (plus a LOT of Google Searching):
Technical Tip: How to use Peer IDs to select an IP... - Fortinet Community