Hi all,
I have an interesting question. I'm messing around with FortiManager's VPN Manager tool and seeing a weird issue (TAC is working on it, but thought I'd ask the community as well).
FMG 7.0.12, FGTHub 7.0.15, Spoke1 7.0.15, Spoke2 7.0.15, both Spoke1 and 2 have FortiExtenders with either Verizon or AT&T (not that it should matter the provider, just being thorough). All 3 sites are connected via MPLS and have site to site VPNs configured, as well. BGP is used for routing between the sites with MPLS being primary, StS VPN being secondary.
I am creating a dynamic VPN tunnel configuration where if both MPLS and primary DIA are disconnected, the FortiExtender will build a tunnel and BGP will flow over that connection until one of the other two come up. While I can appreciate that SD-WAN and ADVPN should be used, they currently are not (they will be in the future, but for the moment it isn't something that can be fully configured at this time).
Dynamic VPN is configured so that the hub has a BGP neighbor ID of 192.168.10.1, Spoke1 and Spoke2 will get a dynamic address via dial-up vpn in the 192.168.10.11 - 20 range.
Issue 1: If Spoke1 connects via dial-up VPN and is given the .11 address, BGP works fine. Spoke2 connects and gets the .12 address, BGP is typically fine (we have had a couple of times where it didn't work). The Spokes have no reason to communicate with each other, just the Hub in the datacenter.
Issue 2: If Spoke1 is connected and gets the .11 address, but it's internet connection or MPLS comes back, everything is fine. That is, it's fine until Spoke2 connects and is given that same .11 address. Once that happens, BGP will never work between Spoke2 and the Hub.
Issue 3: To combat this, we configured Spoke1 and Spoke to with static dial-up vpn address (.11 and .12 respectively). However, because this is a dynamic VPN, it appears that there is nowhere in VPN Manager to turn off Mode Config for the tunnels. If we enable this scenario manually, everything works. However, we need to update a lot more than 2 devices, and all of our tunnels are handled via VPN Manager.
So, my question is.. is there a way to configure a dynamic VPN without Mode Config, even if it is traversing a CGNAT?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello farhanahmed ,
As FortiManager expert, do you have an idea?
Thanks a lot in advance.
Could you please have a look at this request?
Thanks a lot in advance.
Regards,
Hello jdsauer77.
I could not find any solution I am sorry.
I invite you then to open a ticket with our support: https://support.fortinet.com/welcome/
Thanks a lot in advance.
Regards,
Anthony
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.