The ADVPN easy configuration key on the FortiGate is a Base64-encoded string of parameters. Decoding a key created on FortiOS v7.6.4 results in the following:

{"hubGatewayIp":"10.128.202.126","hubTunnelSubnet":"10.10.1.1255.255.255.0",

"hubTunnelIp":"10.10.0.1","hubIdentifier":"65001","identifier":"65001","tunnelIp":"10.10.0.2",

"ikeVersion":"2"}

By comparison, a decoded easy configuration key with similar settings for FortiOS v7.4 looks like the following:

{"hubGatewayIp":"10.128.202.98","hubTunnel":"10.10.1.1","hubIndentifier":65001,

"indentifier":"65001","hubIdentifier":65001,"identifier":"65100","tunnelIp":"10.10.1.3"}

When using a FortiOS v7.6 Easy configuration key on a FortiOS v7.4 spoke, the VPN Wizard may produce unexpected results. For example:

• The Remote IP/netmask fields may not populate correctly.
  
  

• Even when entering undefined settings manually, the wizard may fail to proceed, causing the Next button to remain greyed out during the Policy & Routing step.

Explanation:

1. The VPN Wizard in FortiOS v7.6 creates ADVPN tunnels using IKEv2 by default, while FortiOS v7.4 uses IKEv1 by default. This results in an 'ikeVersion' mismatch in the decoded key.
2. The field names and the total number of fields differ between the versions. Because of these discrepancies, the VPN Wizard in v7.4 cannot properly interpret or complete the configuration using a v7.6-generated key.

If it is necessary to use a configuration key generated on FortiOS v7.6 with a FortiOS v7.4 spoke, administrators may manually modify the v7.6 decoded Base64 key into a format supported by v7.4 (e.g., modifying settings and parameter names to fit the v7.4 model), then re-encode it into Base64 before importing it into the VPN Wizard. However, this method is generally not recommended since it could result in incorrect/incomplete configuration, and so administrators are instead encouraged to have ADVPN Hubs and Spokes running at least the same FortiOS firmware branch to ensure that easy configuration keys work properly.

In the case of ADVPN Hubs running FortiOS v7.6 and Spokes running FortiOS v7.4, it is recommended to configure the ADVPN settings manually instead of using an easy configuration key generated from a different FortiOS version.

Example:

The v7.6-based easy configuration key described earlier in this article can be converted to the following to match the easy key format of FortiOS v7.4:

v7.6: {"hubGatewayIp":"10.128.202.126","hubTunnelSubnet":"10.10.1.1255.255.255.0",

"hubTunnelIp":"10.10.0.1","hubIdentifier":"65001","identifier":"65001","tunnelIp":"10.10.0.2",

"ikeVersion":"2"}

v7.4: {"hubGatewayIp":"10.128.202.126","hubTunnel":"10.10.1.1","hubIndentifier":65001,

"indentifier":"65001","hubIdentifier":65001,"identifier":"65100","tunnelIp":"10.10.1.2"}

Once converted, the key can then be Base64-encoded and used on FortiOS v7.4 for ADVPN configuration through the Wizard.

Note: As documented above, the ADVPN easy configuration for FortiOS v7.6 and v7.4 differ in terms of what IKE version is selected by the wizard. When using an easy key converted from v7.6 on a spoke running v7.4, the VPN tunnel's IKE version will stay as version 1 (the default for IPsec tunnels created by the wizard on FortiOS v7.4). Therefore, it is necessary to change the IKE version of the VPN tunnel manually (on either the v7.6 Hub or the v7.4 Spokes) so that they match on both ends.

However, make sure to copy the settings of the VPN tunnel before changing the version, as certain settings (like the encryption proposal) may change when altering the IKE version:

config vpn ipsec phase1-interface

    edit 'TUNNEL_NAME'

        set ike-version [1 | 2]

    next

end