Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HughOD
New Contributor

Changed ISPs, can't get VPN to come back up

On a FortiWiFi 90D, we changed our ISP and now we can't get out IPSec VPN with our phone vendor back up.  Nothing else has changed.

 

We changed:

[ol]
  • System...Network...Interfaces... wan2[ul]
  • IP/Network Mask from old IP to 67.x.x.158/255.255.255.252[/ul]
  • Router...Static...Static Routes on Device wan2[ul]
  • Gateway from old IP to 67.x.x.157[/ul]
  • VPN...IPSec...Tunnels.."Our Tunnel"[ul]
  • Phase 1 Proposal... Local ID to our new WAN IP address[/ul][/ol]

    I can't think of anything else that would need to change, however, we keep getting the following error in the Event Log:

         Log Description:  IPsec phase 1 error

         Message:  IPsec phase 1

         Outgoing Interface:  wan2      Peer Notification:  INVALID-ID-INFORMATION

         Reason:  peer notification      Status:  negotiate_error

     

    I've taken over this router (used to SonicWalls), so if you need more info for anything from CLI, please let me know.

     

    Any ideas????

     

    Thanks!

  • 4 REPLIES 4
    EMES
    Contributor

    Try and put the old LocalID back in. The other side is expecting that ID and wont take the new one unless the other side is reconfigured. Was anything at the phone vendor reconfigured, Usually with an ISP change you need to reconfigure all remote sides of a tunnel unless its only using the localID for verificaiton.

    rwpatterson
    Valued Contributor III

    Did you also change the peer IP on the remote unit? It needs to know where the other end has moved to.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    HughOD
    New Contributor

    I'm sorry.  I neglected to mention that the phone vendor updated their side to match our new IP settings as well.

     

    They have an Adtran and have the Peer Address matching our WAN IP and their RemoteID set as "IP Address" and matching our WAN IP address as well.

     

    I'm just at a loss on what else to try.  I will say, no matter what I put in the Phase 1 - Local ID field... I get the same error.

     

    Attached is their side of the VPN.

    rwpatterson
    Valued Contributor III

    Have you tried downing both sides of the tunnel and bringing them back up? I would need to see more of the P1 and P2 settings to add any more here.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com