Weird behaviour of Dial Up IPSec

Forum|Forum|4 years ago
October 8, 2021
1 reply
7315 views

just encountered this:

IPSec Dial Up does allow concurrent tunnels. To make sure it can handle each one it enumerates the tunnels. Good so far.

Though the Gui (and the FOrtimanager gui also) allow you to enter too long p1 names.

If you p1 name is too long the enumerating may fail because it cannot add the number to it anymore.

In my case this worked as longs as tunnels were enumerated with just a single digit (0-9). HOwever due to reasons sometimes they get a two digit number even though there are less than 10 concurrent tunnes active.

The two digit number failed due to above reason. Then the Fortigate either doesn't let you establish a tunnel or - if it already established one successfully tends to use this one. The resulting NAT IP Change leads straight into a problem since there is two remote gws using the same dynamic tunnel now. This is then (and correctly) considered a twin connection and the SA gets deleted due to this so the tunnel goes down...

Just wanted to let you know...

ede_pfau

SuperUser

hi,

thanks for sharing.

This behavior is well known and has not changed over the years. In fact, I tried to provoke the GUI bug by specifying a name with 14 characters (yielding 10 connections), or 15 chars, which was prohibited. Using FortiOS v6.0.13.

So apparently you cannot enter a name which would leave no space for the current connection number.

sw2090Author

SuperUser

well I had 13 chars for p1 name and this seems to leave only space for one digit of number...

ede_pfau

SuperUser

Correct (see screenshot). connection0..9, and the 11th attempt will be blocked.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded