Description
This article describes possible reasons why ADVPN shortcuts between Spokes do not establish despite the ADVPN working as intended between the Hub and Spoke.
Scope
FortiGate.
Solution
Explanation.
If the connectivity between Hub and Spoke works correctly, it is possible to check the IKE debugs to further analyze the details for the ADVPN shortcut.
IKE debugs:
diag debug reset
diag debug application ike -1
diag debug console timestamp enable
diag debug en
ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-OFFER
ike 0:FGT-ADVPN-HUB-1: shortcut-offer 172.26.22.22->172.10.10.1 psk 64 ppk 0 ver 1 mode 0
ike 0 looking up shortcut by addr 172.10.10.1, name FGT-ADVPN-HUB-1
In the debug logs above, the ADVPN shortcut-offer is received.
The issue arises with the ADVPN Shortcut-Reply by the Spoke.
ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-REPLY
ike 0:FGT-ADVPN-HUB-1: recv shortcut-reply 17386919350863387436 3d31b000f3a4cb20/918e5c255a8451ca 10.10.50.1 to 172.26.22.22 psk 64 ppk 0
ver 1 mode 0 ext-mapping 0.0.0.0:0
ike 0:FGT-ADVPN-HUB-1: iif 28 172.10.10.1->172.26.22.22 route lookup oif 12 root
ike 0:FGT-ADVPN-HUB-1: shortcut-reply received from 10.10.50.1:500, local-nat=no, peer-nat=no
ike 0:FGT-ADVPN-HUB-1: created connection: 0xdd3cdb0 5 10.10.10.2->10.10.50.1:500.
ike 0:FGT-ADVPN-HUB-1: adding new dynamic tunnel for 10.10.50.1:500
ike 0:FGT-ADVPN-HUB-1: could not create dialup name FGT-ADVPN-HUB-1_0, too long
ike 0:FGT-ADVPN-HUB-1: deleting
ike 0:FGT-ADVPN-HUB-1: deleted
ike 0:FGT-ADVPN-HUB-1: schedule auto-negotiate
In the above debug logs, the shortcut is unable to be established because of the character limit for VPN names. It is clearly indicated that the new name for the shortcut tunnel would be too long.
In the above scenario, the phase-1 interface on the Spoke is configured as follows:
config vpn ipsec phase1-interface
edit "FGT-ADVPN-HUB-1"
set interface "wan1"
set keylife 28800
set peertype any
set net-device enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set dhgrp 14
set auto-discovery-receiver enable
set remote-gw x.x.x.x
set psksecret ENC
set dpd-retryinterval 5
next
FGT-ADVPN-HUB-1 = In total, 15 characters are being used.
Fix.
There is a limitation in the maximum number of characters available when configuring the Phase 1 Interface name parameters for an IPsec VPN tunnel on the FortiGate unit.
The IPsec VPN interface name is limited to 15 characters.
With the VPN name configured as 'FGT-ADVPN-HUB-1' having already 15 characters, FortiGate will not be able to accept more characters, which are required while establishing the shortcut as this would be FGT-ADVPN-HUB-1_0 and the limit would be passed.
With ADVPN tunnels, it is recommended to use tunnels with shorter names in order to avoid the situation described above.
- If the phase1 IPsec ADVPN interface name is 14 characters long or more, any shortcut will fail.
- If the phase1 IPsec ADVPN interface name is 13 characters long, the 10th shortcut will fail.
From FortiOS v6.2.6 and v6.4.3 onward with phase1 parameter 'net-device disable', the tunnel name character limit is increased to 35 characters.
