Is there anyway to enable dead gateway detection on an ipsec interface? Everytmie I add one, it immediately makes the ipsec interface inactive. Maybe there' s a setting that I missed to let the ipsec interfaces ping out?
Many thanks for any input,
DPD detects the status of the connection between VPN peers. Enabling DPD facilitates cleaning up dead connections and establishing new VPN tunnels.
DPD is not supported by all vendors and is not used unless DPD is supported and enabled by both VPN peers.
Please check whether the DPD is enabled on the other end as well. If the other end is not fortigate or if it doesn' t support DPD, please disable DPD on the fortigate.
Hi, my topology is very simple, and I' ve purchased the fortinet 60c to test in order to have it deployed at all of my locations. Right now, the main features that are most attractive are the dual wan, in order to increase reliability of the vpn. I have 2 WANs in use on the fortinet that I want to VPN connect to a linux box. If WAN1 fail on the fortinet, I want WAN2 to come up immediately, to keep the connect alive. I am finding out the hard way that this is nearly impossible is the VPN at the other end is not another fortinet unit. The question I pose in this thread is to be able to shut down VPN tunnel 1 that' s binded to WAN1 if WAN1 goes down, while bringing up VPN tunnel 2.
So, because my linux box at the other end does not support dead peer detection, the DPD setting AND the monitor-phase1 setting is not used. Therefore, I' m trying to use Dead Gateway Detection to shut down ipsec interface VPN tunnel 1 if WAN1 goes down, and vice versa. However, this doesn' t look like it' s possible.
The frustrating thing is, as I' ve described in my other thread, is that if both my WAN interfaces are in DHCP mode, then the WAN routes are removed from the routing table along with the binding VPN tunnels if the WAN connection goes down. When both my WAN interfaces use a static IP address, and a WAN goes down, then the fortinet does NOT remove the binding VPN route which then stays in the routing table, not routing traffic. So, I' m trying to figure out any way possible to take down a VPN tunnel if the binding WAN interface goes down, and I thought DGD was an option.
I' m looking for any suggestions - right now fortinet tech support just suggested to me that I purchase another fortinet to use at the other end of the tunnel, and i was hoping for another solution.
In other words, when both WANs are in dhcp mode, the fortinet does something special to the routing table - when either WAN goes down, it immediately removes all associated WAN routes and binding ipsec VPN interfaces, which makes the whole system work flawlessly. It' s just that when the WANs have static IPs, the routes and associated binding routes are not appropriately taken down, causing issues. Unless I' m missing something?
I probably could switch over to dynamic IPs on my WANs - I think I pay a few extra $$ per month to have them. But, I also have to use opendns, and from what I understand, then need a static IP to work. Plus, I' d really like to figure this out, as it seems to me that this is such a simple issue. I do appreciate all your suggestions,
I just re-read the kb on the command " con sys int" to see how the interface changes from static to dhcp on the interfaces. I was hoping there was a setting that could solve all this, but for the most part, they were the exact same.
Same issue in v4.0.3 patch 12 and v5.0.1 of the firmware.
Just waiting now for fortinet tech support to confirm that the 60c can use vpn failover with static IPs connecting to an end unit that doesn' t have dpd capability.
After researching utm firewalls for many months, I purchased the 60c - I' d like to have them everywhere (to solve at least this issue), but I need to have them running in the lab for a bit first...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.