I have two installations of Fortigate 60F units for remote access. One is running 6.4.8 and one on 7.0.5
I have IPSEC remote access configurations setup on both and the configs are nearly identical (except for the addressing...same subnetting. Nothing of consequence)
On the 6.4.8 unit I can have multiple dial-in instances each getting an address from the assigned pool.
On the 7.0.5 unit I can only establish a single connection. I get an address out of the pool but cannot establish additional sessions.
Both dialer instances are coming from the same office so have the same remote WAN IP. But that is the same for the working instance.
Phase 1 and phase 2 both come up but phase 2 eventually drops. I do believe this is related to not obtaining a second IP from the pool but cannot figure out why.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Solved by setting unique Peer IDs for each Tunnel. Convert to custom tunnel, set authentication IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match. Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID
On the 7.0.5 VPN tunnel do you have
set net-device enable
enabled for the tunnel?
Just for clarity. Either of these sites can establish a connection as long as the other site is not connected. But to answer your question. "set net-device" is disabled on the phase1-interface. Reading up on this a bit. Would that need to be enabled on both connections and both ends? I saw the option to create kernel objects in the GUI config but wasn't sure what that was all about.
Could you post the VPN configuration you have on both sides? Are you using dynamic or static routing on the tunnels?
Well. I'm not sure what I did but I can establish multiple dial-in sessions now and I get an unique IP out of the assigned pool for each client. The only real difference is that I have a site-to-site (fortigate-fortigate LAN extension) configured now and didn't before. Now I just need to figure out why I can't create a site to multi-site LAN extension. (see my other post.)
If you can post the vpn configurations from both sides maybe able to provide a better suggestion. With out seeing it, it’s just guessing possible solutions.
Here ya go. But like I said. It's working now. Note that these VPNs have NOT been converted to custom tunnels.
6.4.8 Site
Phase1-interface (psksecret removed)
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: EM-IPSEC-WAN1 (Created by VPN wizard)"
set npu-offload enable
set dhgrp 2
set suite-b disable
set wizard-type dialup-windows
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set tunnel-search selectors
set psksecret ENC "key was here'
set keepalive 10
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
Phase2-interface
set phase1name "EM-IPSEC-WAN1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set ipv4-df disable
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation transport-mode
set l2tp enable
set comments "VPN: EM-IPSEC-WAN1 (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable
set keylifeseconds 3600
7.0.5 site
Phase1-interface
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: EM-Kratos-VPN (Created by VPN wizard)"
set npu-offload enable
set dhgrp 2
set suite-b disable
set wizard-type dialup-windows
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set psksecret ENC "key was here"set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 20
Phase2-interface
set phase1name "EM-Gilat-VPN"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set ipv4-df disable
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation transport-mode
set l2tp enable
set comments "VPN: EM-Gilat-VPN (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable
set keylifeseconds 3600
Yeah looks ok now of course since it's working. I wonder if in the non-working configuration if you had "set add-route enable" on. Without a route, the tunnel won't come up.
When you say "multi-site LAN extension" what options are you picking when running the VPN wizard?
Hello Wayupnorthguy!
Thanks for posting on the Fortinet Community Forum.
I found a document that may help :
https://www.fortinetguru.com/2017/10/ipsec-troubleshooting/
Can you tell me if it helped you please?
Kindest regards,
Solved by setting unique Peer IDs for each Tunnel. Convert to custom tunnel, set authentication IKE mode to Agressive, Peer options to Specific peer ID and insure both ends match. Note that the Local ID int he Phase 1 Proposal needs to match the Peer ID
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.