Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdrianR
New Contributor III

Created on ‎05-31-2024 03:49 PM Edited on ‎06-03-2024 11:24 AM

Aggregate dial-up IPsec tunnel

Hello, I'm testing a configuration using aggregate dial-up IPsec but I'm having trouble getting it to work. The thing is that in the IPsec Tunnels configuration the aggregate "Test" shows up in green,

pic1.png

 

but when I create the static route in Network -> Static Routes it shows the aggregate "Test" as down in red.

pic 2.png

 

Did I miss something in the configuration that most be done to work?

 

If I change the VPNs to IPsec site to site not dialup the aggerate shows up (green) in static routes.

 

Can't use SDWAN because I used up all 512 members already.

Fortigates have Firmware 7.0.15

 

 

Thanks for any help you can provide!

Labels:
1234
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to AdrianR

Created on ‎06-03-2024 11:37 PM Edited on ‎06-03-2024 11:39 PM

I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.

But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.

So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server

Instead, I added a static route on both side like below:
<client side>
config router static
  edit 0
    set dst 192.168.150.0 255.255.255.0   <- server side subnet
    set device "agg_tun"
  next

end

and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.

So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.

At least I found one way to make it work. So you can try the same.

Toshi

View solution in original post

973
10 REPLIES 10
AdrianR
New Contributor III

Created on ‎06-03-2024 11:11 AM

Hello @AEK I tried with automatic route but in the routing table it stills shows the aggregate as down although the aggregate is up in IP sec.

Screenshot 2024-06-03 111147.png

 

Screenshot 2024-06-03 115432.png

281
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.