If a system password-policy is enforced for IPsec pre-shared keys, a VPN configured with the 'Dialup Group' peertype is removed after a reboot.

config system password-policy

set status enable

set apply-to ipsec-preshared-key

end

config vpn ipsec phase1-interface

edit "RAVPN" <-- in affected firmware versions, will be removed after reboot.

set peertype dialup 

set usrgrp "test-grp"

next

end

Example configuration:

1. Enable password-policy and apply it to IPsec pre-shared keys:

config system password-policy
    set status enable
    set apply-to ipsec-preshared-key
end

2. If a user group does not exist, configure a local user and add it to a group:

config user local

    edit "test"

        set type password

        set passwd anypassword1234

    next
end

config user group
    edit "test-group"
        set member "test"
    next
end

3. Create a Remote Access-Type VPN using the VPN Creation Wizard with a pre-shared key complying with the password policy, and add any user group.

4. Once the tunnel is created, select Convert to Custom Tunnel and modify the Peer Options as shown below.

5. Reboot the device.
6. After the reboot, the dial-up IPsec VPN configuration is lost.

FGT # diagnose debug config-error-log read
.
>>> "next" @ root.vpn.ipsec.phase1-interface.RAVPN:failed command (error 1)
>>> "set" "phase1name" "RAVPN" @ root.vpn.ipsec.phase2-interface.RAVPN:value parse error (error -3)
>>> "next" @ root.vpn.ipsec.phase2-interface.RAVPN:failed command (error 1)

This issue has been resolved in:

• v7.4.9 (available to download from the Fortinet support portal).
• v7.6.5 (scheduled to be released in November 2025).
• v8.0.0 (scheduled to be released in February 2026).

These timelines for firmware release are estimates and may be subject to change.