FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Description
This article describes the reason why sometimes ADVPN shortcuts between Spokes do not establish, despite the ADVPN works between Hub and Spoke.                                     

Solution
Explanation.
If the connectivity between Hub and Spoke works correctly, it is possible to check the IKE debugs to further analyze the details for the ADVPN shortcut.

IKE debugs:
# diag debug reset
# diag debug application ike -1
# diag debug console timestamp enable
# diag debug en
ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-OFFER
ike 0:FGT-ADVPN-HUB-1: shortcut-offer 172.26.22.22->172.10.10.1 psk 64 ppk 0 ver 1 mode 0
ike 0 looking up shortcut by addr 172.10.10.1, name FGT-ADVPN-HUB-1
In the debugs, the ADVPN shortcut-offer is received.
The issue arises with the ADVPN Shortcut-Reply by the Spoke.

ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-REPLY
ike 0:FGT-ADVPN-HUB-1: recv shortcut-reply 17386919350863387436 3d31b000f3a4cb20/918e5c255a8451ca 10.10.50.1 to 172.26.22.22 psk 64 ppk 0
 ver 1 mode 0 ext-mapping 0.0.0.0:0
ike 0:FGT-ADVPN-HUB-1: iif 28 172.10.10.1->172.26.22.22 route lookup oif 12 root
ike 0:FGT-ADVPN-HUB-1: shortcut-reply received from 10.10.50.1:500, local-nat=no, peer-nat=no
ike 0:FGT-ADVPN-HUB-1: created connection: 0xdd3cdb0 5 10.10.10.2->10.10.50.1:500.
ike 0:FGT-ADVPN-HUB-1: adding new dynamic tunnel for 10.10.50.1:500
ike 0:FGT-ADVPN-HUB-1: could not create dialup name FGT-ADVPN-HUB-1_0, too long
ike 0:FGT-ADVPN-HUB-1: deleting
ike 0:FGT-ADVPN-HUB-1: deleted
ike 0:FGT-ADVPN-HUB-1: schedule auto-negotiate
In the above debugs, the shortcut is unable to establish because of the character limit for VPN name, and it is clearly indicated that new name for the shortcut tunnel would be too long.

In the above scenario, on the Spoke the phase1-interface is configured as follows:
# config vpn ipsec phase1-interface
    edit "FGT-ADVPN-HUB-1"
        set interface "wan1"
        set keylife 28800
        set peertype any
        set net-device enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set dhgrp 14
        set auto-discovery-receiver enable
        set remote-gw x.x.x.x
        set psksecret ENC
        set dpd-retryinterval 5
    next
FGT-ADVPN-HUB-1 = In total, 15 characters are being used.

Solution.
There is a limitation in the maximum number of characters available when configuring the Phase 1 Interface name parameters for an IPsec VPN tunnel on the FortiGate unit.
The IPsec VPN interface name is limited to 15 characters.

With the VPN name configured as 'FGT-ADVPN-HUB-1' having already 15 characters, FortiGate will not be able to accept more characters, which are required while establishing the shortcut as this would be FGT-ADVPN-HUB-1_0 and the limit would be passed.

With ADVPN tunnels it is recommended to use tunnels with shorter name in order to avoid the situation described above.

1) If the phase1 IPsec ADVPN interface name is 14 characters long or more, any shortcut will fail.
2) If the phase1 IPsec ADVPN interface name is 13 characters long, the 10th shortcut will fail.

Contributors