Hi
How many dial up connection a IPSec can support?. I need to connect 40 site in this hub & spoke scenario. But when i go to the Fortigate Master on the vpn tunnel, it says that only 10 concurrent user(s) will be supported.
Can anyone confirm that only 10 connection is supported? Or this is referring to another thing?
This is a Lab environment so I don't know if this a limitation on the KMV. I'm planning to use Fortigate 100F and the data sheet said that I can do 2000 vpn GW to GW connection.
I appreciate any help you can provide.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello jm-barreto,
Please check the below link explaining this :
Notes:
- If 'net-device' value in the VPN Phase1 interface is disabled, it is possible to name the tunnel max to 15 characters.
- But if 'net-device' is enabled, it is possible to name the tunnel max to only 13 characters.
Hi @vsahu
Thank for the information. Its a little confusing because Im actually net-device enable and my phase1 name is actually 15 character long with the index number and Im able to do 2 connection. When the documentation said that at 14 characters or more the tunnel will fail.
Or Im seeing the wrong name? here a screenshot:
Also here my config for phase1
Thanks again
Hi @jm-barreto ,
Maximum character name for vpn tunnel is about 15.
Your is: MASTER_TUNNEL which is 13 character. Im suggesting to keep below 10 character.
Example: HQ_Branch, To_Branch or similar.
Please make the name shorter and you can have more concurrent connection.
Hello jm-barreto,
Yes the document is a little confusing, you've to keep in mind that FortiGate will not allow more than 15 characters while naming the IPSEC tunnel, that is a software limitation, when you configure a normal VPN you'll not have to worry even if it's 15 character tunnel name but when it comes to dialup or dynamic VPN the things change.
As dialup and dynamic VPN inherit the name of the parent tunnel configuration and add "_xxxxx" so here x represents the number, in your case why you're getting 10 tunnels because MASTER_TUNNEL = 13 characters and when the dynamic addressing will is there it will be MASTER_TUNNEL_0 till MASTER_TUNNEL_9 so 10 tunnel the 11th will fail due to character limitation,
Now regarding the net device when it is enabled it creates the naming like MASTER_TUNNEL_x or to be precise it creates a new tunnel interface but when it's disabled it does not create any interface, so that is the reason the character limitation with net-device enabled or disable
You can check more info here on net-device, check the pdf attachment
yeah you have to keep in mind that some space on the p1 name is needed for enumeration of dial up tunnels. This is not needed for a site2site tunnel.
In you case you have 13 chars of p1 name. Max length as written before is 15 chars. That means that fortios can only enumarte with one digit because of the leading "_" it ads. Just like you saw in your screenshot.
This would allow 10 connections (0-9). Then will run out of space. Unfortunately FortiOS seems to cache the enumeration for a while so once you had _0 and _1 thay are reserved for a while and the enumeration will go on with _2. Once there have been 10 connectios space is used up and further NEW connections will fail.
Additionally there is the hard limit of simultaneous connections too. I tried to look that up on one of my 100Fs here but cannot find it anymore. I remember it used to be up to 2000 but I think it was shrubk down to 500 with some FortiOS version.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.