|
Below is a basic configuration of the Dialup server and Dialup client.
HUB:
config vpn ipsec phase1-interface
edit "HUB"
set type dynamic
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set peerid "HUB"
set psksecret ENCIoTQEEHgsL8UspCfTc8p
Next
Spokes:
config vpn ipsec phase1-interface
edit "SPK1"
set interface "port2"
set mode aggressive
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "HUB"
set dpd on-idle
set remote-gw 10.56.244.59
set psksecret ENC lCQw+Z5ZmeXFeIZC0mEem3L4aD2IEZw==
next
edit "SPK2"
set interface "port2"
set mode aggressive
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "HUB"
set dpd on-idle
set remote-gw 10.56.244.59
set psksecret ENC gZB1M1+uT6nbTYlou8aj5a
next
In the above setup, after successful connection of spoke-1 and when spoke-2 try to connect, spoke-1 goes down, making it possible to connect only for one spoke at a given time.
The reason for this is that in the HUB end, the default behavior is 'set add-route enable'.
This will automatically add a route to the first spoke once it is established. When the second spoke tries to connect, the route will change to the second one, making the first spoke down, or keep the first route available, making spoke-2 not able to connect.
The solution for this is to disable 'set add-route'.
config vpn ipsec phase1-interface
edit "HUB"
set type dynamic
set interface "port2"
set mode aggressive
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable <----- Disable on the dialup server.
set dpd on-idle
set peerid "HUB"
set psksecret ENC Ik1f7
Note:
Refer to this KB article Technical Tip: Use of PeerID and LocalID in IPsec VPN between two FortiGates to set up Dialup server dialup client IPsec tunnel.
|
