Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager
Staff
Staff

Created on ‎12-04-2009 02:41 AM Edited on ‎08-08-2024 01:54 PM By Moderator

Article Id 193193

Technical Tip: IPsec VPN phase1 interface name characters limitation best practice

Description

 

This article describes that in the FortiOS firmware, a VPN interface name is limited to 15 characters.

This article will help to best utilize IPsec VPN phase_1 naming.


Scope


FortiOS.

Solution

 

When creating an IPsec tunnel, there is a character limit for the Phase 1 Interface name on the FortiGate. The IPsec VPN interface name is limited to 15 characters.

 

Below are a few scenarios on how this character limit works:

  • For a site-to-site VPN tunnel, the character limit is straightforward and it should not exceed 15 characters as shown below:

    HomeGate # config vpn ipsec phase1-interface
    HomeGate (phase1-interface) # edit x123456789012345
    string value is too long. the size is 16, the limit is 15

  • When an IPsec dialup interface related to the IPsec phase1 called 'P1' is created and after a successful negotiation it is given a name of the form 'P1_<n>'. The size of '_<n>' is not predictable but it is at least 2 characters ('_' + one digit).
    • For a dial-up IPsec VPN with net-device enabled, the '_<n>' is taken into account in the phase1 name length limit.

      Consequences for dynamic phase1 users using interface mode:

      The IPsec dialup interface name will be named <phase1>_n. With 'n' as the index of the tunnel and the dialup name limited to 15 characters or less.

       

      If the phase1 IPsec dialup interface name is 14 characters long or more, any tunnel will fail.

      For example: Tunnels_with15.

      The Tunnels_with15_0 and/or Tunnels_with15_1 interface names will have more than 15 characters.

       

      If the phase1 IPsec dialup interface name is 13 characters long, the 11th tunnel will fail.

      For example: Tunnels_with1.

      The Tunnels_with1_10 and/or Tunnels_with1_11 interface names will have more than 15 characters.

       

      If the phase1 IPsec dialup interface name is 12 characters long, the 101th tunnel will fail.

      For example: Tunnels_with.

      The Tunnels_with_100 and/or Tunnels_with1_101 interface names will have more than 15 characters.

    • For a dial-up IPsec VPN with net-device disabled, starting FortiOS 6.2.2 the '_<n>' is not taken into account in the phase1 name length limit. This means the above-mentioned consequences and limitations do not apply to a dialup client's tunnel name when net-device is disabled and <phase1>_n could exceed 15 characters.


For an ADVPN scenario, where the HUB needs to have net-device disabled,d and spoke need the net-device to be enabled for shortcut tunnels.

Hub can have the dialup IPsec VPN's name to up to 15 characters and spokes can connect to it without any issue.

However, Spoke should have the IPsec VPN's name to at most 13 characters, which allows the creation of at most 10 shortcut tunnels and the 11th shortcut will fail.

 

The below ike debug shows an IPsec tunnel with net-device enables exceeding the 15-character limit:

 

ike 0:ca-yvr-ipsec-tn: could not create dialup name ca-yvr-ipsec-tn_0, too long

Labels:
27371
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.