| Description |
This article describes why the local gateway option does not automatically update when the WAN interface IP address changes. The following image shows part of the IPSec tunnel configuration with the local gateway option enabled.
Below is the CLI configuration for Image 1.
config vpn ipsec phase1-interface edit "VPN" set interface "port3" set local-gw 172.31.1.178 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 26.52.26.35 set psksecret next end |
| Scope | FortiGate. |
| Solution |
In the GUI, when selecting either the primary or secondary IP, the FortiGate saves the chosen IP under local-gw. However, this process is static, meaning that if the WAN IP changes, the tunnel will not automatically update and will remain configured with the original IP. The tunnel will then appear as follows:
In the tunnel, the local gateway is automatically switched to Specify, but the tunnel continues to use the previous IP address.
If the public IP changes frequently, one solution is to disable the local gateway for the tunnel. In the FortiGate configuration, it will appear as follows:
config vpn ipsec phase1-interface edit "VPN" set type static set interface "port3" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 ... next end
The local-gw is set to 0.0.0.0, allowing the IPSec tunnel to utilize the primary IP address of the WAN interface.
Troubleshooting case from which an issue could happens: When the local gateway is defined and the interface has a dynamic IP address attributed (DHCP or PPPoE) as explained above, the following debug output could be related:
diagnose debug application ike -1 ...
Related document: Technical Tip: How to fix 'gw validation failed' error, IPsec Dial-up using IKEv2 |
