FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
This article describes the issue when FortiManager pushes VPN config with the domain command, resulting in an error.
------- Start to retry --------
XXXXXXX1 config vdom XXXXXXX1 (vdom) edit vXXX current vf=vXXX XXXXXXX1 (vXXX) config vpn ipsec phase1-interface XXXXXXX1 (phase1-interface) edit "RXXXX" XXXXXXX1 (RXXXX) set domain "testing.com" XXXXXXX1 (RXXXX) next XXXXXXX1 (phase1-interface) end XXXXXXX1 (vXXX) end
---> generating verification report (vdom vdom-a: vpn ipsec phase1-interface "RXXXX":domain) remote original: to be installed: "testing.com"
<--- done generating verification report
install failed
Scope
FortiManager and FortiGate.
Solution
To ensure FortiManager can push the config, it is necessary to check the VPN IKE version. If the VPN config is using IKEv1, it is necessary to enable the domain as below:
config vpn ipsec phase1-interface edit "test" set type dynamic set mode-cfg enable set domain "testing.com" next end
If the VPN config is using IKEv2, it is not possible to enable the config as IKEv2 does not support Unity extensions; therefore 'set domain' configuration is not available for FortiOS IKEv2.
Hence, if getting an error as above, consider using IKEv1 rather than IKEv2.
