Hi,
I have configured a partially redundant IPsec VPN with two local links going to a single link, static IP server.
The two links are seen as dial-up on the remote FG.
I used the wizard to do all configs.
SDWAN is used to team the two WAN links.
I added via the CLI an interface monitor for the primary VPN tunnel so failover can happen.
Everything works as expected except for... on the dial-up side the wizard creates a remote address group for VPN subnets.
Try as I might, I cannot add another subnet as an address object into said group. The newly created address object is not shown in available addresses.
On the remote end I can add a subnet into the local address group for the VPN. Why does it work this side? Because it's the server and not dial-up or possibly the interface monitor has got something to do with it?
The only way for this to work on the dial-up side was to delete the config and use the wizard again and add all required subnets at config time so the group is created accordingly.
This doesn't help as I need to add and remove subnets as required.
The workaround in the meantime was to create another phase 2 SA with the required subnets which I don't want to do each time.
I'm stumped, lost an entire day trying to work this out.
Please can someone help me out of this mess?
I'm not sure what configs and how much to post will be happy to do so when instructed.
Thank you.
Solved! Go to Solution.
Man - this drove me insane too but I found a solution.
Under Policies & Objects -> Addresses
Clone one of the addresses created by the Wizard.
Rename and change the IPv4 address.
The new address will now be available within the group -> add address menu.
One thing I noticed that's different about the auto generated addresses is that "static route configuration" is enabled.
Enjoy :)
Same issue here.
Man - this drove me insane too but I found a solution.
Under Policies & Objects -> Addresses
Clone one of the addresses created by the Wizard.
Rename and change the IPv4 address.
The new address will now be available within the group -> add address menu.
One thing I noticed that's different about the auto generated addresses is that "static route configuration" is enabled.
Enjoy :)
Thanks! Saved me a lot of time with this answer.
-Stephen
Hello,
Also you can enable via gui static route configuration.
Regards.
If an address object has an interface specified you won't be able to use it anywhere that the interface is different, or you have other objects in the group with a different interface, or no interface, defined. It's easier to just not define an interface on the address objects. I haven't found anywhere that this has a functional effect, so all it's doing is making the setup more difficult to do.
Thanks! You saved me a lot of time.
Thanks, but this doesn't seem to work in FortiManager. If i want to edit a local address group in vpn, i am not able to find that address group in FortiManager
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.