Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
live89
Contributor

Forcing site to site altime UP

Hi

 

I'm trying to site to site VPN to be up all the time even when there is no traffic

I went through this KB but didn't help

https://kb.fortinet.com/kb/documentLink.do?externalID=12069

What happens here is that our S2S goes down from time to time , if there is no traffic or after specific amount of time , and goes UP under two conditions:

1- If I manually bring it up.

2- If there is a traffic.

 

How can make it all the time up?

 

I'm running FGT1000D v.5.6.11

The other side is Checkpoint - not managing it and absolutely will not

 

And here is my p1+p2 conf:

Phase1:

    edit "My_Customer_1"
        set type static
        set interface "Cust-1-WAN"
        set ip-version 4
        set ike-version 2
        set local-gw 0.0.0.0
        set keylife 86400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set passive-mode disable
        set exchange-interface-ip disable
        set mode-cfg disable
        set proposal aes256-sha1
        set localid ''
        set localid-type auto
        set auto-negotiate enable
        set negotiate-timeout 30
        set fragmentation enable
        set dpd on-idle
        set forticlient-enforcement disable
        set comments ''
        set npu-offload enable
        set dhgrp 2
        set suite-b disable
        set eap disable
        set wizard-type custom
        set reauth disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set rekey enable
        set remote-gw 1.1.1.1
        set monitor ''
        set add-gw-route disable
        set psksecret ENC
        set keepalive 10
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next

 

phase2:

        set phase1name "My_Customer_1"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
        set pfs disable
        set replay disable
        set auto-negotiate enable
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set protocol 0
        set src-addr-type subnet
        set src-port 0
        set dst-addr-type subnet
        set dst-port 0
        set keylifeseconds 43200
        set src-subnet 172.26.134.96 255.255.255.240
        set dst-subnet 172.22.0.0 255.255.0.0

Thanks

Thanks
3 REPLIES 3
boneyard
Valued Contributor

i dont see the keepalive enable in the phase2 you show

live89

Because of "set auto-negotiate enable".

If this setting is enabled then keepalive disappears from phase2 settings.

But i tried that also.

Thanks

Thanks
boneyard
Valued Contributor

ah, what do you see when you do a debug vpn? do you see the phase 2 being attempted or not at all?

 

if not then i would open a support case because that should happen.

Labels
Top Kudoed Authors