Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayupnorthguy
New Contributor III

IPSEC VPN tunnel only assigning a single IP (only single session works)

I have two installations of Fortigate 60F units for remote access.  One is running 6.4.8 and one on 7.0.5

I have IPSEC remote access configurations setup on both and the configs are nearly identical (except for the addressing...same subnetting. Nothing of consequence)
On the 6.4.8 unit I can have multiple dial-in instances each getting an address from the assigned pool.
On the 7.0.5 unit I can only establish a single connection.  I get an address out of the pool but cannot establish additional sessions.  
Both dialer instances are coming from the same office so have the same remote WAN IP.  But that is the same for the working instance.
Phase 1 and phase 2 both come up but phase 2 eventually drops.  I do believe this is related to not obtaining a second IP from the pool but cannot figure out why.

Jack of all trades, Master of none
Jack of all trades, Master of none
1 Solution
Wayupnorthguy
New Contributor III

Solved by setting unique Peer IDs for each Tunnel.  Convert to custom tunnel, set authentication  IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match.  Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID

Jack of all trades, Master of none

View solution in original post

Jack of all trades, Master of none
9 REPLIES 9
distillednetwork
Contributor III

On the 7.0.5 VPN tunnel do you have

set net-device enable 

enabled for the tunnel?  

Wayupnorthguy

Just for clarity.  Either of these sites can establish a connection as long as the other site is not connected.  But to answer your question. "set net-device" is disabled on the phase1-interface.  Reading up on this a bit.  Would that need to be enabled on both connections and both ends?  I saw the option to create kernel objects in the GUI config but wasn't sure what that was all about.

 

Jack of all trades, Master of none
Jack of all trades, Master of none
distillednetwork

Could you post the VPN configuration you have on both sides?   Are you using dynamic or static routing on the tunnels?  

Wayupnorthguy

Well.  I'm not sure what I did but I can establish multiple dial-in sessions now and I get an unique IP out of the assigned pool for each client.  The only real difference is that I have a site-to-site (fortigate-fortigate LAN extension) configured now and didn't before.  Now I just need to figure out why I can't create a site to multi-site LAN extension. (see my other post.)

Jack of all trades, Master of none
Jack of all trades, Master of none
distillednetwork

If you can post the vpn configurations from both sides maybe able to provide a better suggestion. With out seeing it, it’s just guessing possible solutions. 

Wayupnorthguy

Here ya go.  But like I said.  It's working now.  Note that these VPNs have NOT been converted to custom tunnels.

 

6.4.8 Site
Phase1-interface (psksecret removed)
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: EM-IPSEC-WAN1 (Created by VPN wizard)"
set npu-offload enable
set dhgrp 2
set suite-b disable
set wizard-type dialup-windows
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set tunnel-search selectors
set psksecret ENC "key was here'
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20


Phase2-interface
set phase1name "EM-IPSEC-WAN1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set ipv4-df disable
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation transport-mode
set l2tp enable
set comments "VPN: EM-IPSEC-WAN1 (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable
set keylifeseconds 3600

7.0.5 site
Phase1-interface
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: EM-Kratos-VPN (Created by VPN wizard)"
set npu-offload enable
set dhgrp 2
set suite-b disable
set wizard-type dialup-windows
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set psksecret ENC "key was here"set keepalive 10

set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 20

Phase2-interface

set phase1name "EM-Gilat-VPN"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set ipv4-df disable
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation transport-mode
set l2tp enable
set comments "VPN: EM-Gilat-VPN (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable
set keylifeseconds 3600

Jack of all trades, Master of none
Jack of all trades, Master of none
distillednetwork

Yeah looks ok now of course since it's working. I wonder if in the non-working configuration if you had "set add-route enable" on.  Without a route, the tunnel won't come up.  

 

When you say "multi-site LAN extension" what options are you picking when running the VPN wizard?

 

 

Jean-Philippe_P
Moderator
Moderator

Hello Wayupnorthguy!

 

Thanks for posting on the Fortinet Community Forum.

 

I found a document that may help :

 

https://www.fortinetguru.com/2017/10/ipsec-troubleshooting/

 

Can you tell me if it helped you please?

 

Kindest regards,

Jean-Philippe - Fortinet Community Team
Wayupnorthguy
New Contributor III

Solved by setting unique Peer IDs for each Tunnel.  Convert to custom tunnel, set authentication  IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match.  Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID

Jack of all trades, Master of none
Jack of all trades, Master of none
Top Kudoed Authors