Hi,
i've trouble creating a L2TP/IPSec VPN on our Fortigate(FW 5.2.2,build642) If i use the wizard (Dialup - Android (Native L2TP/IPsec), i cannot select the WAN Interface as incoming Interface.
There is only DMZ and INTERNAL available (the fortigate is in Switch-mode).
Selecting the iOS (Native) wizard, the WAN Interfaces are available (we use load-balancing).
My VPN menu also looks different to the pictures in the documents (i've no "Auto Key(IKE)" option / the "Policy-based IPsec VPN" Feature is enabled).
I've also tried to create the tunnel via CLI, but i got a error at "set interface wan1".
Is it because the fortigate is in Switch-mode?
Hope you can help me.
regards
Juergen
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
we use load-balancing
FWIW: I think this goes back to old bug related to vpn wan interface selection when your using a virtual-wan interface. If you search in the forti beta forum or vpn you will find many references to this limitation.
PCNSE
NSE
StrongSwan
Hi,
the output of diag sys checkused System.interface.Name wan1 is:
HQ-gw01 # diag sys checkused system.interface.name wan1
entry used by table system.interface:name 'DE'
entry used by table system.interface:name 'test'
entry used by child table dashboard:id '9' of entry used by child table dashboard:id '10' of entry used by child table dashboard:id '11' of table system.admin:name 'admin'
entry used by child table dashboard:id '10' of table system.admin:name 'm.graf'
entry used by child table source-interface:name 'wan1' of complex vpn.ssl.settings:source-interface.name
entry used by table vpn.ipsec.phase1-interface:name 'DE'
entry used by table vpn.ipsec.phase1-interface:name 'test'
entry used by child table members:seq-num '3' of complex system.virtual-wan-link:members.interface
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_HTTPs'
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTP'
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTPs'
entry used by table firewall.vipgrp:name '[WAN1]HQ-svMX01'
test = my test L2TP VPN via "custom VPN tunnel(no Template)" DE = our site-to-site tunnel to our Office in Germany.
thanks for the tip with the old bug.
Switch mode shouldn't affect the WAN interfaces by default.
Are there already other tunnels bound to the WAN ports, or other settings that might affect their use for an L2TP/IPSec tunnel?
Regards, Chris McMullan Fortinet Ottawa
Hi,
there is a Site to Site tunnel active to our office in Germany.
And we use currently SSL VPN (which should be replaced by the L2TP VPN).
We've two Internet Connections and they are combined via load-balancing, both, the SSL VPN and the Site-to-Site VPN are connected to WAN1. So, WAN2 is free but it is also not available.
Juergen
I would open a ticket with TAC to get the widest possible context around what is binding the interfaces in a way they are unavailable for terminating the new tunnel.
Run this command, and include the output in the case:
diag sys checkused system.interface.name wan1
Regards, Chris McMullan Fortinet Ottawa
we use load-balancing
FWIW: I think this goes back to old bug related to vpn wan interface selection when your using a virtual-wan interface. If you search in the forti beta forum or vpn you will find many references to this limitation.
PCNSE
NSE
StrongSwan
Hi,
the output of diag sys checkused System.interface.Name wan1 is:
HQ-gw01 # diag sys checkused system.interface.name wan1
entry used by table system.interface:name 'DE'
entry used by table system.interface:name 'test'
entry used by child table dashboard:id '9' of entry used by child table dashboard:id '10' of entry used by child table dashboard:id '11' of table system.admin:name 'admin'
entry used by child table dashboard:id '10' of table system.admin:name 'm.graf'
entry used by child table source-interface:name 'wan1' of complex vpn.ssl.settings:source-interface.name
entry used by table vpn.ipsec.phase1-interface:name 'DE'
entry used by table vpn.ipsec.phase1-interface:name 'test'
entry used by child table members:seq-num '3' of complex system.virtual-wan-link:members.interface
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_HTTPs'
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTP'
entry used by table firewall.vip:name '[WAN1]HQ-svMX01_SMTPs'
entry used by table firewall.vipgrp:name '[WAN1]HQ-svMX01'
test = my test L2TP VPN via "custom VPN tunnel(no Template)" DE = our site-to-site tunnel to our Office in Germany.
thanks for the tip with the old bug.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.