Hello,
I hope you are well,
I need your help "if possible" to configure a dial-up interface on a sub-interface in order to use it for an IPSec VPN link (First Is it possible ?)
I tried to configure it by creating a standard VPN tunnel behind a NAT, then I edited the configuration by replacing the interface (IP Static) with a dial-up interface, the problem is that I can't save it and I get an error code -9999: -9999.
Here's a capture of the error and the topology target, knowing that I'm on migration from an ASA to a Fortigate (Fresh install).
ASA configuration :
Regards.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can use an FQDN address in remote gateway. That FQDN can resolve to dynamic IP. You can use dynamic DNS service.
Thanks for your return and information.
I'm going to save it as solution B because I want to respect the same configuration I have on the Old_ASA.
> "if possible" to configure a dial-up interface on a sub-interface
Yes, this is possible. You can create an IPsec tunnel on top of a LAG, a VLAN, etc.
> the problem is that I can't save it and I get an error code -9999: -9999.
If you're changing the tunnel type from static site-to-site to dynamic dialup/hub-and-spoke and are getting an error, you're most likely missing some necessary config options. I would suggest to do this via the CLI, which will hopefully give you a more meaningful error.
Thanks for your return and information.
In CLI, should I apply the configuration to the physical interface or the Vlan interface?
Regards.
My understanding was that you're trying to change settings of the IPsec tunnel. If that is correct, then you should make the change in the IPsec tunnel's configuration.
okay so on CLI I have to edit the tunnel_VPN interface created
As I don't know precisely what you want to change, it is a bit hard to give good guidelines, but as I noted: If the goal is to change some settings of the VPN tunnel, then yes, edit the tunnel config.
config vpn ipsec phase1-interface
edit <tunnel name>
[apply changes desired here]
end
as I mentioned above in the topology I have a vpn site to site with a remote site in dynamic IP so I have to configure the primary site interface (VLAN) in dynamic behind Fortiwan(Forwarding/NAT/source ip public)
I'll try to modify it in CLI and get back to you, thanks for your help.
Hi @IT_ZD,
You cannot change from dialup to static IP after the creating the tunnel, please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Error-9999-when-changing-remote-gate...
You can create a custom tunnel without using the wizard.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.