Hoping for some clarity on an issue I am experiencing.
We have a partnership with an organization with 16+ remote sites all over our city. These sites connect to their WAN using 1-2 public IPs at their main office and have no interest in playing nice when it comes to static IP/NAT assignment for us.
I have been tasked with configuring x6 FG-80F (OS 7.0.5) appliances to connect to our FG-100F (OS 7.0.1) at our datacenter
Each “remote site” has its own /28 local subnet, with 4-6 devices connected at each. We will exist inside their network in our own little bubble(s).
Configuring each of these 80Fs as dialup clients with “behind NAT enabled”, I have set the Phase1 with specific Client/Peer IDs, unique Pre-shared Keys, and set Aggressive IKEv1. Phase2 is set with unique named subnets, with the respective /28 network set.
The issue I have is it appears only 1 device will connect at a time – it was my understanding the unique Peer IDs/aggressive mode would resolve this. I have had “luck” tinkering with configs and bringing a second one online at the same time (dumb luck), but a reboot kills the connection and once again, only 1 will reconnect.
Here is the config on one of the remote devices:
config vpn ipsec phase1-interface
edit "Site1-to-DT"
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
next
end
config vpn ipsec phase2-interface
edit "Site1-to-DT"
set phase1name "Site1-to-DT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "Site1-to-DT_local"
set dst-name "Site1-to-DT_remote"
next
end
Here is the config for Site1 on our Main FG-100F
config vpn ipsec phase1-interface
edit "Site1-NAT"
set type dynamic
set interface "wan1"
set keylife 86400
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5
set localid "6"
set dpd on-idle
set peerid "6"
set psksecret ENC REDACTED
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Site1-NAT"
set phase1name "Site1-NAT"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set keepalive enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 43200
set src-name "DT-Site1_local"
set dst-name "DT-Site1_remote"
next
Debug shows nothing super interesting, other than phase1 cannot be established:
ike 0:Site1-to-DT:0: sent IKE msg (agg_i1send): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:500 negotiating
ike 0:Site1-to-DT:0:Site1-to-DT:0: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:Site1-to-DT:0: out
ike 0:Site1-to-DT:0: sent IKE msg (P1_RETRANSMIT): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000
ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0
ike 0:Site1-to-DT:Site1-to-DT: using existing connection
ike 0:Site1-to-DT:Site1-to-DT: config found
ike 0:Site1-to-DT: request is on the queue
I have no packet loss on the Datacenter Fortigate and have verified port 500 traffic is being received from the remote NAT IP.
Turning off the devices and waiting until the key lifetime has expires enables me to bring another device online. Am I missing something here? Is it not possible to have two dialup clients from the same Remote Gateway IP at the same time? It sure does feel like a real-life use case to me.
Other referenced materials (plus a LOT of Google Searching):
Technical Tip: How to use Peer IDs to select an IP... - Fortinet Community
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You could use overlay-id in your configuration to separate IPsec VPN tunnels based on the IDs configured. This is not the same as peer id and a Fortinet proprietary feature. So, it will only work for VPN tunnels between FortiGates. But, as you mentioned that you are creating VPN tunnels between FortiGates, you should not have any issues. Below is an article on how to configure overlay-id.
If you have one phase1-interface per remote site, just one pair of "peerid" and "localid" should let the "DT" side identify which phase1 is for the request from one remote location like in this KB.
It's not really "dialup" so to speak where one phase1 terminate multiple locations or VPN client devices.
I'm not sure if it would work well (apparently working in your case) when you configure same "ID=6" on both peerid and localid on one side as in your config. Just make sure you use unique ID per reomte location. I would use like "remote1", "remote2", etc.
Toshi
Hi,
Set the peer ID to any at the 100F. You can use any local ID on the remote device now, make them unique at all the remote locations.
Ensure to collect debugs on both sides, the debug shared shows P1 retransmit. We need the debug from the hub to see if the packets were received and replied / or dropped during transit.
Regards,
Hi
Set the peer id to Peer ID from dialup group and follow the below kb article:-
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.