Phase 1: SPFGIPsec2 Local Interface: WAN1 (my FG100D, for the moment, is sitting inside my network' s edge router, and I have the FG' s WAN1 connected via VLAN ' directly' to the edge router, which one-to-one NAT' s a public IP address straight through to the FG' s WAN1 port). Mode: Aggressive Authentication Method: Preshared Key Peer Options: Accept any peer ID Advanced: Enable IPsec Interface Mode: checked IKE Version 1 Mode Config: checked (I still don' t understand what this does?) Start IP: 192.168.8.97 end IP: 192.168.8.119 DNS Server: Specify: 192.168.8.34 Local Gateway IP: (I' ve tried it both ways, with the default " Main Interface IP" and explicitly " Specify: 192.168.8.35; it makes no difference to my question below) P1 Proposal - defaults Xauth: Enable as Server, Server Type Auto, User Group ipsecvpn, NAT Traversal enable. Phase 2: SPFGIPsec2b Phase 1: SPFGIPsec2 Advanced: P2 Proposal - defaults Quick Mode Selector - defaults (blanks/zeroes)It caused me a huge loss of time, because I' d (stupidly?) assumed that, being both physically (no cable) and administratively (in the FG UI) down, it couldn' t be involved in any way. But the mgmt interface had the FortiGate factory default IP address 192.168.1.99/24, which happens to be smack in the middle of my internal LAN' s IP address space ... and that IP address was the last hop I saw on traceroutes through the VPN, which were dying right there; no connections would flow into the LAN through the VPN. (Connections bouncing off the FortiGate IPsec VPN - it' s NOT in split-tunnel mode - to the Internet would work fine). Made no sense at all. Sent me on a wild goose chase after the real 192.168.1.99 on my LAN (which has no fault at all). When I finally tried reconfiguring the mgmt' s IP address to something totally different (10.249.129.248/24), I still see the mgmt interface in all traceroutes which come in over the IPsec VPN but now I can reach nodes on my internal LAN through the IPsec VPN, which before always got stopped at that fake 192.168.1.99 address. Why? What purpose does it serve to have this FortiGate mgmt interface in the middle of IPsec connections? Thank you, -Jay
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
PCNSE
NSE
StrongSwan
It is not related to the 192.168.1.0 numbering. I am seeing this too and our network is 10.x.x.x.
So what I am hearing from the rest of this thread is, "Yeah it does that" don't worry about it, it might be fixed later when you upgrade.
I am trying to backup my FGT box to a tftp server across the VPN tunnel. The source IP the packets get is 192.168.1.99 and the backup is failing. There is no 'set source-ip' option for the auto backup so I am stuck. I opened a ticket with them. We shall see.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.