FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdelapena
Staff
Staff
Article Id 318849
Description This article describes why VPN recreation fails with an error 'Unable to setup VPN' when using the IPsec Wizard Hub-and-Spoke template due to a duplicate local address group with the same name already exists.
Scope FortiGate.
Solution

An error in the last step when recreating a VPN using the IPsec Wizard Hub-and-Spoke template will happen when using the same IPsec name as the old one.

The IPsec Wizard is unable to create the local address group as there is already a pre-existing configuration from the old VPN config that was not deleted.

 

kb1.jpg

 

A quick fix to this is to use a new IPsec name but if using the same IPsec name when recreating the VPN, it is important to remove all VPN tunnel references, VPN tunnel itself, local address (including address group), and related BGP configuration. 

 

  1. Delete all references for the IPsec Phase1 interface (Firewall Policy & Phase2 Interface).

 

kb2.png

 

  1. Remove the VPN tunnel.

 

kb3.png

 

  1. Delete the BGP neighbor associated with this VPN. If this is not deleted, an issue explained in VPN creation using the Hub-and-Spoke template in IPsec Wizard cannot proceed further while in Step 4... will happen.

 

kb4.png

 

  1. Delete the local address object(s) and the address group where it belongs. This configuration when not deleted will later on conflict causing the issue when the IPsec Wizard tries to create again the same objects.

 

kb5.png

 

Retry recreating the VPN again and it should now be set up successfully.

kb6.png

Contributors