FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 193042

Description

 

This article describes possible reasons why ADVPN shortcuts between Spokes do not establish despite the ADVPN working as intended between the Hub and Spoke.                                     

 

Scope

 

FortiGate.


Solution

 

Explanation.

 

If the connectivity between Hub and Spoke works correctly, it is possible to check the IKE debugs to further analyze the details for the ADVPN shortcut.

IKE debugs:

 

diag debug reset

diag debug application ike -1

diag debug console timestamp enable

diag debug en

ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-OFFER
ike 0:FGT-ADVPN-HUB-1: shortcut-offer 172.26.22.22->172.10.10.1 psk 64 ppk 0 ver 1 mode 0
ike 0 looking up shortcut by addr 172.10.10.1, name FGT-ADVPN-HUB-1

 

In the debug logs above, the ADVPN shortcut-offer is received.
The issue arises with the ADVPN Shortcut-Reply by the Spoke.

 

ike 0:FGT-ADVPN-HUB-1:17: notify msg received: SHORTCUT-REPLY
ike 0:FGT-ADVPN-HUB-1: recv shortcut-reply 17386919350863387436 3d31b000f3a4cb20/918e5c255a8451ca 10.10.50.1 to 172.26.22.22 psk 64 ppk 0
 ver 1 mode 0 ext-mapping 0.0.0.0:0
ike 0:FGT-ADVPN-HUB-1: iif 28 172.10.10.1->172.26.22.22 route lookup oif 12 root
ike 0:FGT-ADVPN-HUB-1: shortcut-reply received from 10.10.50.1:500, local-nat=no, peer-nat=no
ike 0:FGT-ADVPN-HUB-1: created connection: 0xdd3cdb0 5 10.10.10.2->10.10.50.1:500.
ike 0:FGT-ADVPN-HUB-1: adding new dynamic tunnel for 10.10.50.1:500
ike 0:FGT-ADVPN-HUB-1: could not create dialup name FGT-ADVPN-HUB-1_0, too long
ike 0:FGT-ADVPN-HUB-1: deleting
ike 0:FGT-ADVPN-HUB-1: deleted
ike 0:FGT-ADVPN-HUB-1: schedule auto-negotiate

 

In the above debug logs, the shortcut is unable to be established because of the character limit for VPN names. It is clearly indicated that the new name for the shortcut tunnel would be too long.

In the above scenario, the phase-1 interface on the Spoke is configured as follows:

 

config vpn ipsec phase1-interface
    edit "FGT-ADVPN-HUB-1"
        set interface "wan1"
        set keylife 28800
        set peertype any
        set net-device enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set dhgrp 14
        set auto-discovery-receiver enable
        set remote-gw x.x.x.x
        set psksecret ENC
        set dpd-retryinterval 5
    next

 

FGT-ADVPN-HUB-1 = In total, 15 characters are being used.


Fix.


There is a limitation in the maximum number of characters available when configuring the Phase 1 Interface name parameters for an IPsec VPN tunnel on the FortiGate unit.
The IPsec VPN interface name is limited to 15 characters.

With the VPN name configured as 'FGT-ADVPN-HUB-1' having already 15 characters, FortiGate will not be able to accept more characters, which are required while establishing the shortcut as this would be FGT-ADVPN-HUB-1_0 and the limit would be passed.

With ADVPN tunnels, it is recommended to use tunnels with shorter names in order to avoid the situation described above.

 

  1. If the phase1 IPsec ADVPN interface name is 14 characters long or more, any shortcut will fail.
  2. If the phase1 IPsec ADVPN interface name is 13 characters long, the 10th shortcut will fail.

From FortiOS v6.2.6 and v6.4.3 onward with phase1 parameter 'net-device disable', the tunnel name character limit is increased to 35 characters.