IPSec IKE mode-cfg not handing out ip addresses to dialup fortigates. v7.2.10

UnderscoresAndDashes · ‎01-15-2025

I thought it was possible to have the Hub hand out an ip addresses via mode-cfg from the Dialup IPSec tunnel, doesn't seem to work. Is it supposed to work when a branch Fortigate dials into the Hub Fortigate.

Here are my IPSec configurations for the Hub and a Spoke.

(The tunnels are up, it's just that the spoke will not grab an IP Address or the Hub is not handing them out)

HUB:

config vpn ipsec phase1-interface
edit "advpn_1"
set type dynamic
set interface "port3"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set auto-discovery-sender enable
set peerid "100"
set ipv4-start-ip 172.50.100.100
set ipv4-end-ip 172.50.103.200
set ipv4-netmask 255.255.252.0
set psksecret
set dpd-retrycount 2
set dpd-retryinterval 10
next
end

-----------------------------------------------------------------

Spoke:

config vpn ipsec phase1-interface
edit "advpn_1"
set interface "wan2"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set localid "100"
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set remote-gw x.x.x.x
set psksecret
set dpd-retrycount 2
set dpd-retryinterval 10
next
end

----------------------------------------------------------------

This is what I get when I run the below on the Spoke side:

diagnose ip router bgp level info

diag ip router bgp all enable

di de en

BGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18
BGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18
di deBGP: 172.50.100.1-Outgoing [FSM] State: Active Event: 9
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 9
BGP: 172.50.100.1-Outgoing [NETWORK] FD=26, Sock Status: 101-Network is unreachable
BGP: 172.50.100.1-Outgoing [FSM] State: Connect Event: 18

This leads me to the Spoke not getting an IP from the Hub via ike mode-cfg

Dhruvin_patel · ‎01-15-2025

Greetings!

Could you provide the output of the command diagnose vpn ike gateway list from the spoke after the tunnel is up?

The output will help us identify the spoke receiving the IP address from the hub.

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Dhruvin Patel

UnderscoresAndDashes · ‎01-16-2025

Why aren't my replies being saved in this post?

UnderscoresAndDashes · ‎01-16-2025

My previous replies apparently didn't save. I am trying in multiple replies.

Fith attempt:
It does look like the Tunnels are getting IP addresses:

vd: root/0
name: advpn_1
version: 2
interface: wan2 6
addr: x.x.x.x:4500 -> x.x.x.x:4500
tun_id: x.x.x.x/::x.x.x.x
remote_location: 0.0.0.0
network-id: 0
created: 81724s ago
peer-id: x.x.x.x
peer-id-auth: no
assigned IPv4 address: 172.50.100.100/255.255.255.255
nat: peer
auto-discovery: 2 receiver
PPK: no
IKE SA: created 1/1 established 1/1 time 190/190/190 ms
IPsec SA: created 1/2 established 1/2 time 90/140/190 ms

id/spi: 406 fe1ba136cc42d3b1/f227432e431a463a
direction: initiator
status: established 81724-81724s ago = 190ms
proposal: aes256-sha256
child: no
SK_ei: 3b24718f4a29ed9c-d8b0f92cc802bfaf-69001bab48378b48-05ded5b554fb118b
SK_er: 37fbcc92dd9f518e-45866fb0fd003f72-e47d139b45f1ffb2-986578b7e0432d5b
SK_ai: 62e8c173d8d71dde-40a4b1a65fd6b677-c3b2ffae2b31037e-20aa7d4ca49de932
SK_ar: bcf7e7fd0b31edba-1240a680513ec3e4-f79b17e7a3913577-b662c8b626a8b6f3
PPK: no
message-id sent/recv: 3803/0
lifetime/rekey: 86400/4375
DPD sent/recv: 00000ede/00000ede
peer-id: x.x.x.x

UnderscoresAndDashes · ‎01-16-2025

For some reason the route to the Neighbor is not being injected. In this lab I am using a SDWan zone, which both tunnels are a member of. I have added the Neighbor subnets to the Hub BGP prefixes, but that not going to help if the spoke can't pull routing from the Hub. I have tried adding a static route in the spoke for the neighbor subnets, but then I get a reverse path error on the Hub. When I had the tunnels statically IP'd, the only static route I needed was a 10DOT Blackhole route. So now I have added a static route to both the Hub and Spoke for the Neiborhood subnets and now it's working. I guess it makes sense, for whatever reason I was under the impression that the routes for the Neighborships would be auto-injected.

pminarik · ‎01-16-2025

Interface IPs can be exchanged between the two peers either via "set exchange-interface-ip enable" in phase1 configuration, or if using ADVPN this option is auto-enabled by force.

Have a look at the ike debugs when the phase1 is being established. You're looking for lines like:

"VID Fortinet Exchange Interface IP"
"add INTERFACE-ADDR4 <other-side's-IP"

"received p1 notify type INTERFACE-ADDR4"

"add connected route <local-ip> -> <other-side's-IP>"

[ corrections always welcome ]

IPSec IKE mode-cfg not handing out ip addresses to dialup fortigates. v7.2.10

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website