Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seyuboglu
Staff
Staff

Created on ‎09-27-2024 05:50 AM

Article Id 345071

Troubleshooting Tip: How to troubleshoot an issue when trying to add a second Dialup User IPSEC tunnel using the same peer ID on different IP versions

Description This article describes how to troubleshoot the error message 'object check operator error, -138, discard the setting
Command fail. Return code 1' received when trying to add a second Dialup User IPSEC Tunnel using the same peer ID on different IP versions.
Scope FortiGate v7.2.x.
Solution

The error message 'The peer name is being used by another IPsec gateway (NAME OF THE TUNNEL) object check operator error, -138, discard the setting Command fail. Return code' is expected when two different Dialup User IPSEC tunnels trying to be configured using the same peer ID with the same local gateway under the same interface.

 

It is possible to create two different Dialup User IPSEC Tunnels within the same IP version and different local gateways, under the same interface.

 

Example 1:

 

config vpn ipsec phase1-interface 

    edit "IPV4DialupTun1"
        set type dynamic
        set interface "port1"   <----- Same Port.
        set ike-version 2
        set local-gw 1.1.1.1  <----- Local Gateway must be different.
        set peertype one
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 21
        set eap enable
        set eap-identity send-request
        set peerid "FORTINET"    <----- Same Peer ID.
        set assign-ip-from name
        set ipv4-split-include "all"
        set ipv4-name "SSLVPN_TUNNEL_ADDR1"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC jUohZzc/NHhTk7FBoYcLz/GcCp0PtlmQLH/4aA==
        set dpd-retryinterval 60
    next

 

edit ""IPV4DialupTun2" 
    set type dynamic
    set interface "port1" <----- Same Port.
    set ike-version 2
    set local-gw 2.2.2.2  <----- Local Gateway must be different.
    set peertype one
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 8.8.8.8
    set proposal aes256-sha256
    set dpd on-idle
    set dhgrp 21
    set peerid "FORTINET"  <----- Same Peer ID.
    set assign-ip-from name
    set ipv4-split-include "all"
    set ipv4-name "SSLVPN_TUNNEL_ADDR2"
    set save-password enable
    set client-auto-negotiate enable
    set client-keep-alive enable
    set psksecret ENC nh1bQTK4n0EBsFYKeRLSM8N5EueX774A==
    set dpd-retryinterval 60
next
end

 

  • These tunnels will be created without any problem.
  • The error is presented when the same peer ID is configured and the IP versions are different.  

 

Example 2:

 

config vpn ipsec phase1-interface 

    edit ""IPV4DialupTun1"
        set type dynamic
        set interface "port1"   <----- Same Port.
        set ike-version 2
        set local-gw 1.1.1.1  
        set peertype one
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 21
        set eap enable
        set eap-identity send-request
        set peerid "FORTINET"    <----- Same Peer ID.
        set assign-ip-from name
        set ipv4-split-include "all"
        set ipv4-name "SSLVPN_TUNNEL_ADDR1"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC jUohZzc/NHhTk7FBoYcLz/GcCp0PtlmQLH/4aA==
        set dpd-retryinterval 60
    next

 

  • The first tunnel will be created without any problem.
  • When the second tunnel is configured : 

 

Fortigate (phase1-interface) # edit "IPV6DialupTun1" 
new entry 'IPV6DialupTun1' added
Fortigate (IPV6DialupTun1) # set type dynamic
Fortigate (IPV6DialupTun1) # set interface port1
Fortigate (IPV6DialupTun1) # set ip-version 6  <----- IPv6.
Fortigate (IPV6DialupTun1) # set ike-version 2
Fortigate (IPV6DialupTun1) # set local-gw6 2001:bf0:48::123
Fortigate (IPV6DialupTun1) # set peertype one
Fortigate (IPV6DialupTun1) # set net-device disable
Fortigate (IPV6DialupTun1) # set mode-cfg enable
Fortigate (IPV6DialupTun1) # set ipv6-dns-server1 2001:bf0:48::122
Fortigate (IPV6DialupTun1) # set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
Fortigate (IPV6DialupTun1) # set dpd on-idle
Fortigate (IPV6DialupTun1) # set dhgrp 21
Fortigate (IPV6DialupTun1) # set peerid "FORTINET" <----- Same Peer ID.
Fortigate (IPV6DialupTun1) # set assign-ip-from name
Fortigate (IPV6DialupTun1) # set ipv4-split-include "all"
Fortigate (IPV6DialupTun1) # set ipv4-name "SSLVPN_TUNNEL_ADDR2"
Fortigate (IPV6DialupTun1) # set client-auto-negotiate enable
Fortigate (IPV6DialupTun1) # set client-keep-alive enable
Fortigate (IPV6DialupTun1) # set psksecret fortinet
Fortigate (IPV6DialupTun1) # set dpd-retryinterval 60
Fortigate (IPV6DialupTun1) # next
The peer name is being used by another IPsec gateway (IPV6DialupTun1)
object check operator error, -138, discard the setting
Command fail. Return code 1 <----- Error message will be shown and tunnel will not be created. 

 

  • This configuration should work due to IP versions are different.
  • This issue is fixed in v7.2.9, v7.4.5 and v7.6.0. 

 

636
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.