Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Abdal_opr
New Contributor

Created on ‎09-05-2023 12:57 AM

Maintaining IPSEC Tunnel up when No Traffic is Generated

Hello,

 

i have an FG Firewall connected to FortiManager. This FortiGate establishes an IPSEC tunnel with the local Edge firewall. However, when no traffic from clients is generated, the tunnel remains down. I am looking for a method to keep these tunnels up.


Could anyone provide a method to ensure that the IPSEC tunnels between the FG Firewall and the local firewall stay up even when there is no traffic being generated?

 

Thanks!

Abdal

Labels:
5117
0 Kudos
4 REPLIES 4
Babitha_M
Staff
Staff

Created on ‎09-05-2023 02:50 AM

Hi Abdal,

 

You may use the option Keep Alive in the phase2 configuration. The option is to keep the tunnel active when no data is being processed. Please refer the below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...


Regards,
Babitha M

5100
Abdal_opr
New Contributor
In response to Babitha_M

Created on ‎09-10-2023 11:47 PM

Thanks for reply, this option is enabled.

 

I want to establish and maintain an IPsec connection between the client on the left side and a proxy server on a VPN client, even when the VLAN interface, where the proxy server resides, is not physically connected to a switch or client that generates traffic. This absence of traffic can lead to the IPsec tunnel going down due to inactivity.

 

I'm looking for a method to keep the IPsec connection active between the client and the proxy server on the VLAN interface, even when there is no real traffic being generated by any connected device:

 

IPSEC_Topology.png

5021
0 Kudos
msanjaypadma
Staff
Staff
In response to Abdal_opr

Created on ‎09-12-2023 12:55 AM Edited on ‎09-12-2023 12:56 AM

Hi @Abdal_opr ,

 

You can try with DPD settings , see If it is helps.

The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and to re-establish IKE negotiations automatically before a connection times out:

Reference article:
https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...)
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-DPD-effect-on-a-dialup-...

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

 


Thanks,

Mayur Padma
4996
0 Kudos
raven403
New Contributor

Created on ‎09-05-2023 04:06 AM

Even with Proxy IDs, there still needs to be routes for the remote networks you're trying to reach over the vpn, pointing to the tunnel interface of the vpn. The reason is that though the palo supports proxy-ids like a policy-based tunnel, it's basically a route-based tunnel with proxy-id support.

https://19216801.onl/ https://routerlogin.uno/
https://19216801.onl/ https://routerlogin.uno/
5079
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.