- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Multiple Dialup Clients - Single Remote Gatewa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple Dialup Clients - Single Remote Gateway
Hoping for some clarity on an issue I am experiencing.
We have a partnership with an organization with 16+ remote sites all over our city. These sites connect to their WAN using 1-2 public IPs at their main office and have no interest in playing nice when it comes to static IP/NAT assignment for us.
I have been tasked with configuring x6 FG-80F (OS 7.0.5) appliances to connect to our FG-100F (OS 7.0.1) at our datacenter
Each “remote site” has its own /28 local subnet, with 4-6 devices connected at each. We will exist inside their network in our own little bubble(s).
Configuring each of these 80Fs as dialup clients with “behind NAT enabled”, I have set the Phase1 with specific Client/Peer IDs, unique Pre-shared Keys, and set Aggressive IKEv1. Phase2 is set with unique named subnets, with the respective /28 network set.
The issue I have is it appears only 1 device will connect at a time – it was my understanding the unique Peer IDs/aggressive mode would resolve this. I have had “luck” tinkering with configs and bringing a second one online at the same time (dumb luck), but a reboot kills the connection and once again, only 1 will reconnect.
Here is the config on one of the remote devices:
config vpn ipsec phase1-interface
edit "Site1-to-DT"
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
next
end
config vpn ipsec phase2-interface
edit "Site1-to-DT"
set phase1name "Site1-to-DT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "Site1-to-DT_local"
set dst-name "Site1-to-DT_remote"
next
end
Here is the config for Site1 on our Main FG-100F
config vpn ipsec phase1-interface
edit "Site1-NAT"
set type dynamic
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Site1-NAT"
set phase1name "Site1-NAT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "DT-Site1_local"
set dst-name "DT-Site1_remote"
next
Debug shows nothing super interesting, other than phase1 cannot be established:
ike 0:Site1-to-DT:0: sent IKE msg (agg_i1send): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:500 negotiating
ike 0:Site1-to-DT:0:Site1-to-DT:0: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:Site1-to-DT:0: out
ike 0:Site1-to-DT:0: sent IKE msg (P1_RETRANSMIT): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT: request is on the queue
I have no packet loss on the Datacenter Fortigate and have verified port 500 traffic is being received from the remote NAT IP.
Turning off the devices and waiting until the key lifetime has expires enables me to bring another device online. Am I missing something here? Is it not possible to have two dialup clients from the same Remote Gateway IP at the same time? It sure does feel like a real-life use case to me.
Other referenced materials (plus a LOT of Google Searching):
Technical Tip: How to use Peer IDs to select an IP... - Fortinet Community
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You could use overlay-id in your configuration to separate IPsec VPN tunnels based on the IDs configured. This is not the same as peer id and a Fortinet proprietary feature. So, it will only work for VPN tunnels between FortiGates. But, as you mentioned that you are creating VPN tunnels between FortiGates, you should not have any issues. Below is an article on how to configure overlay-id.
Kavin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have one phase1-interface per remote site, just one pair of "peerid" and "localid" should let the "DT" side identify which phase1 is for the request from one remote location like in this KB.
It's not really "dialup" so to speak where one phase1 terminate multiple locations or VPN client devices.
I'm not sure if it would work well (apparently working in your case) when you configure same "ID=6" on both peerid and localid on one side as in your config. Just make sure you use unique ID per reomte location. I would use like "remote1", "remote2", etc.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Set the peer ID to any at the 100F. You can use any local ID on the remote device now, make them unique at all the remote locations.
Ensure to collect debugs on both sides, the debug shared shows P1 retransmit. We need the debug from the hub to see if the packets were received and replied / or dropped during transit.
Regards,
Vignesh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Set the peer id to Peer ID from dialup group and follow the below kb article:-
Salon Raj Joshi
Related Posts
Labels
-
FortiGate
6,456 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.