Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager
Staff
Staff

Created on ‎12-04-2009 02:41 AM Edited on ‎05-04-2025 09:55 PM By Community Manager

Article Id 193193

Technical Tip: IPsec VPN phase1 interface name characters limitation best practice

Description

 

This article describes the FortiOS requirement that a VPN interface name is limited to 15 characters, and some considerations for tunnels with multiple phase1 associations.


Scope


FortiGate.

Solution

 

When creating an IPsec tunnel, there is a character limit for the tunnel name on the FortiGate. The IPsec VPN interface name is limited to 15 characters.

 

  • For a site-to-site VPN tunnel, the character limit is straightforward- the tunnel should not exceed 15 characters as shown below:

    HomeGate # config vpn ipsec phase1-interface
    HomeGate (phase1-interface) # edit 0123456789abcdef
    string value is too long. the size is 16, the limit is 15

  • When an IPsec dialup interface is created, there may be an additional character limit. After an IPsec phase 1 security association is created it is given a name of the form '<tunnel_name>_<n>'. The number of characters required for '_<n>' is dynamic but is always at least 2 characters ('_' + one hexadecimal digit). There are 16 hexadecimal digits, arranged 0,1,2 ... d, e, f.

Whether the suffix length is counted towards the character limit depends on the phase1-interface net-device setting.

config vpn ipsec phase1-interface
     edit "tunnel_name"
          set net-device <enable | disable>
     next
end

  • For an IPsec VPN when the dial-up gateway has net-device enabled, the '_<n>' counts towards phase1 name length limit.

     

Consequences for dynamic phase1 users using interface mode:

If the starting phase1 name is 14 or 15 characters, any tunnel will fail.


config vpn ipsec phase1-interface
     edit "ca-yvr-ipsec-tn"
     next
end

The interface name 'ca-yvr-ipsec-tn_0' would have more than 15 characters, so it is not allowed,d and the tunnel is not created. The following shows an ike debug on the dialup hub side:

ike 0:ca-yvr-ipsec-tn: could not create dialup name ca-yvr-ipsec-tn_0, too long

 

If the phase 1 IPsec dialup interface name is 13 characters long, one hexadecimal digit is allowed, and the 17th tunnel will fail. If the phase1 IPsec dialup interface name is 12 characters long, two hexadecimal digits are allowed,d and the 257th tunnel will fail.

  • For a dial-up IPsec VPN with net-device disabled, in FortiOS 6.2.2 and later:  the '_<n>' suffix does not count towards phase1 name length limit and the consequences above do not apply. <tunnel_name>_n can exceed 15 characters.


Note for ADVPN:
In ADVPN deployments, hub FortiGates have net-device disabled, and spoke FortiGates generally have net-device enabled to support shortcut tunnels. With that configuration, a Hub FortiGate can have a dialup IPsec VPN name of up to 15 characters, and spokes can connect to it without any character limit.

 

However, a spoke device IPsec tunnel name is limited to 13 characters, which allows the creation of 16 shortcut tunnels, and the 17th shortcut will fail. If more shortcut tunnels are required, a shorter name should be used.

Labels:
29307
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.