Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jm-barreto
New Contributor III

How many connection a IPSEC Dial up can support?

Hi

 

How many dial up connection a IPSec can support?. I need to connect 40 site in this hub & spoke scenario. But when i go to the Fortigate Master on the vpn tunnel, it says that only 10 concurrent user(s) will be supported.

 

Can anyone confirm that only 10 connection is supported? Or this is referring to another thing?

 

This is a Lab environment so I don't know if this a limitation on the KMV. I'm planning to use Fortigate 100F and the data sheet  said that I can do 2000 vpn GW to GW connection.

 

Screenshot 2023-03-13 112430.png

 

 

I appreciate any help you can provide.

 

Thanks

JBC
JBC
5 REPLIES 5
vsahu
Staff
Staff

Hello jm-barreto, 

Please check the below link explaining this :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-VPN-phase1-interface-name-characters...

Consequences for dynamic phase1 users using interface mode:
The IPsec dialup interface name will be named as <phase1>_n. With 'n' as the index of the tunnel and the dialup name limited to 15 characters or less.
 
If the phase1 IPsec dialup interface name is 14 characters long or more, any tunnel will fail.
If the phase1 IPsec dialup interface name is 13 characters long, the 10th tunnel will fail.
If the phase1 IPsec dialup interface name is 12 characters long, the 100th tunnel will fail.
 

Notes:

- If 'net-device' value in the VPN Phase1 interface is disabled, it is possible to name the tunnel max to 15 characters.

- But if 'net-device' is enabled, it is possible to name the tunnel max to only 13 characters.

 

Regards,
Vishal
jm-barreto
New Contributor III

Hi @vsahu 

 

Thank for the information. Its a little confusing because Im actually net-device enable and my phase1 name is actually 15 character long with the index number and Im able to do 2 connection. When the documentation said that at 14 characters or more the tunnel will fail.

Or Im seeing the wrong name? here a screenshot:

 

tunnel.png

 

Also here my config for phase1

 

phase1.png

 

 

Thanks again

JBC
JBC
Muhammad_Haiqal

Hi @jm-barreto ,

 

Maximum character name for vpn tunnel is about 15.

Your is: MASTER_TUNNEL which is 13 character. Im suggesting to keep below 10 character.
Example: HQ_Branch, To_Branch or similar.

 

Please make the name shorter and you can have more concurrent connection.

haiqal
vsahu

Hello jm-barreto,


Yes the document is a little confusing, you've to keep in mind that FortiGate will not allow more than 15 characters while naming the IPSEC tunnel, that is a software limitation, when you configure a normal VPN you'll not have to worry even if it's 15 character tunnel name but when it comes to dialup or dynamic VPN the things change.

As dialup and dynamic VPN inherit the name of the parent tunnel configuration and add "_xxxxx" so here x represents the number, in your case why you're getting 10 tunnels because MASTER_TUNNEL = 13 characters and when the dynamic addressing will is there it will be MASTER_TUNNEL_0 till MASTER_TUNNEL_9 so 10 tunnel the 11th will fail due to character limitation,

 

Now regarding the net device when it is enabled it creates the naming like MASTER_TUNNEL_x or to be precise it creates a new tunnel interface but when it's disabled it does not create any interface, so that is the reason the character limitation with net-device enabled or disable 

You can check more info here on net-device, check the pdf attachment

https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic...
 

Regards,
Vishal
sw2090
Honored Contributor

yeah you have to keep in mind that some space on the p1 name is needed for enumeration of dial up tunnels. This is not needed for a site2site tunnel.

In you case you have 13 chars of p1 name. Max length as written before is 15 chars. That means that fortios can only enumarte with one digit because of the leading "_" it ads. Just like you saw in your screenshot. 

This would allow 10 connections (0-9). Then will run out of space. Unfortunately FortiOS seems to cache the enumeration for a while so once you had _0 and _1 thay are reserved for a while and the enumeration will go on with _2. Once there have been 10 connectios space is used up and further NEW connections will fail.

 

Additionally there is the hard limit of simultaneous connections too. I tried to look that up on one of my 100Fs here but cannot find it anymore. I remember it used to be up to 2000 but I think it was shrubk down to 500 with some FortiOS version.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors