Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎11-09-2023 06:23 AM Edited on ‎11-17-2023 07:46 AM By Moderator

Article Id 283504

Technical Tip: Dialup IPSEC issues after upgrading 7.2.6/7.0.13

Description This article describes issues with IPsec DIALUP VPN after upgrading to 7.0.13 or 7.2.6 when multiple dialup phase1 are configured on HUB/DialUp Server.
Scope FortiGate.
Solution When having a FortiGate act as a HUB/Dialup Server with multiple phase1 configurations and overlapping phase2 selectors, for example 0.0.0.0/0 it is possible to experience issues with these phase1 IPsec flapping. 
The overlapping phase2 selectors cause this issue.

Currently, the solutions would be:
  1. Configure specific phase2 selectors to avoid overlapping phase2 configurations (avoid using 0.0.0.0/0 on all tunnels).

  2. If routing either static or dynamic is already in place, disable 'add-route' under phase1 configuration as by default it is enabled.

    config vpn ipsec phase1-interface
        edit <name of phase1>
            set add-route disable
    end

  3. Allow route-overlap under phase2 configuration on HUB/Dialup Server.

    config vpn ipsec phase2-interface
        edit <name of phase2>
            set route-overlap allow
    end

After performing these changes the issue should be resolved.
8789
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.