Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jamolloy
New Contributor

Multiple Dialup Clients - Single Remote Gateway

Hoping for some clarity on an issue I am experiencing. 

We have a partnership with an organization with 16+ remote sites all over our city. These sites connect to their WAN using 1-2 public IPs at their main office and have no interest in playing nice when it comes to static IP/NAT assignment for us.

 

I have been tasked with configuring x6 FG-80F (OS 7.0.5) appliances to connect to our FG-100F (OS 7.0.1) at our datacenter

 

Each “remote site” has its own /28 local subnet, with 4-6 devices connected at each. We will exist inside their network in our own little bubble(s).

 

Configuring each of these 80Fs as dialup clients with “behind NAT enabled”, I have set the Phase1 with specific Client/Peer IDs, unique Pre-shared Keys, and set Aggressive IKEv1. Phase2 is set with unique named subnets, with the respective /28 network set.

 

The issue I have is it appears only 1 device will connect at a time – it was my understanding the unique Peer IDs/aggressive mode would resolve this. I have had “luck” tinkering with configs and bringing a second one online at the same time (dumb luck), but a reboot kills the connection and once again, only 1 will reconnect.

 

Here is the config on one of the remote devices:

 

config vpn ipsec phase1-interface

    edit "Site1-to-DT"

        set interface "wan1"

        set keylife 86400

        set mode aggressive

        set peertype one

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5

        set localid "6"

        set dpd on-idle

        set peerid "6"

        set psksecret ENC REDACTED

    next

end

config vpn ipsec phase2-interface

    edit "Site1-to-DT"

        set phase1name "Site1-to-DT"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set auto-negotiate enable

        set src-addr-type name

        set dst-addr-type name

        set keylifeseconds 43200

        set src-name "Site1-to-DT_local"

        set dst-name "Site1-to-DT_remote"

    next

end

 

Here is the config for Site1 on our Main FG-100F

 

config vpn ipsec phase1-interface

    edit "Site1-NAT"

        set type dynamic

        set interface "wan1"

        set keylife 86400

        set mode aggressive

        set peertype one

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 des-md5

        set localid "6"

        set dpd on-idle

        set peerid "6"

        set psksecret ENC REDACTED

        set dpd-retryinterval 60

    next

end

config vpn ipsec phase2-interface

    edit "Site1-NAT"

        set phase1name "Site1-NAT"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set keepalive enable

        set src-addr-type name

        set dst-addr-type name

        set keylifeseconds 43200

        set src-name "DT-Site1_local"

        set dst-name "DT-Site1_remote"

    next

 

 

 

Debug shows nothing super interesting, other than phase1 cannot be established:

 

ike 0:Site1-to-DT:0: sent IKE msg (agg_i1send): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000

ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0

ike 0:Site1-to-DT:Site1-to-DT: using existing connection

ike 0:Site1-to-DT:Site1-to-DT: config found

ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:500 negotiating

ike 0:Site1-to-DT:0:Site1-to-DT:0: ISAKMP SA still negotiating, queuing quick-mode request

ike 0:Site1-to-DT:0: out

ike 0:Site1-to-DT:0: sent IKE msg (P1_RETRANSMIT): xxx.xxx.xxx.x:500->DataCenterIP:500, len=733, vrf=0, id=ebb80440a37b0ae9/0000000000000000

ike 0:Site1-to-DT:Site1-to-DT: IPsec SA connect 5 xxx.xxx.xxx.x->DataCenterIP:0

ike 0:Site1-to-DT:Site1-to-DT: using existing connection

ike 0:Site1-to-DT:Site1-to-DT: config found

ike 0:Site1-to-DT: request is on the queue

 

 

I have no packet loss on the Datacenter Fortigate and have verified port 500 traffic is being received from the remote NAT IP.

 

Turning off the devices and waiting until the key lifetime has expires enables me to bring another device online. Am I missing something here? Is it not possible to have two dialup clients from the same Remote Gateway IP at the same time? It sure does feel like a real-life use case to me. 

 

Other referenced materials (plus a LOT of Google Searching):

Technical Tip: How to use Peer IDs to select an IP... - Fortinet Community

 

4 REPLIES 4
pkavin
Staff
Staff

Hello, 

 

You could use overlay-id in your configuration to separate IPsec VPN tunnels based on the IDs configured. This is not the same as peer id and a Fortinet proprietary feature. So, it will only work for VPN tunnels between FortiGates. But, as you mentioned that you are creating VPN tunnels between FortiGates, you should not have any issues. Below is an article on how to configure overlay-id.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-VPN-tunnels-from...

 

 

Kavin
Toshi_Esumi
SuperUser
SuperUser

If you have one phase1-interface per remote site, just one pair of "peerid" and "localid" should let the "DT" side identify which phase1 is for the request from one remote location like in this KB.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-bet...

It's not really "dialup" so to speak where one phase1 terminate multiple locations or VPN client devices.

 

I'm not sure if it would work well (apparently working in your case) when you configure same "ID=6" on both peerid and localid on one side as in your config. Just make sure you use unique ID per reomte location. I would use like "remote1", "remote2", etc.

 

Toshi

 

vponmuniraj
Staff
Staff

Hi,

 

Set the peer ID to any at the 100F. You can use any local ID on the remote device now, make them unique at all the remote locations. 

 

Ensure to collect debugs on both sides, the debug shared shows P1 retransmit. We need the debug from the hub to see if the packets were received and replied / or dropped during transit. 

 

 

Regards,

Vignesh
sjoshi
Staff
Staff

Hi

 

Set the peer id to Peer ID from dialup group and follow the below kb article:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-...

Salon Raj Joshi
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors