Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Namesuser
New Contributor

Multiple VPN Connections

The Issue:

We can only ever have one VPN user connected at any one time!   If another user tries to connect they will kick the other person off. Access to the network If connected to the VPN is fine. We will change config soon however need this issue resolved in the mean time - any help will be very much appreciated.

 

 

Device: Fortigate 100d Firmware: v5.0,build0252 (GA Patch 5)

 

Our LAN address: 5.5.10.1 - 5.5.10.239 /24

 

VPN Config:

IPSEC Accept any peer ID IKE VErsion 1 Mode Config enabled Start IP : 5.5.10.240 End IP: 5.5.10.254 DNS: 5.5.5.10

 

P1 Proposal: AES256 SHA1 DH Group 5 Keylife 28800

XAUTH: Enabled as server Server type Auto User Group VPN Dead Peer Detection enabled

 

P2 Proposal 1-Encryption: AES128 Authentication: SHA1 2-Encryption: AES128 Authentication: SHA1 Enable replay detection Enable perfect forward secrecy (PFS).

Keylife: Seconds: 28800

Thanks

3 REPLIES 3
emnoc
Esteemed Contributor III

Here's how I suggest your  doing it;

 

config vpn ipsec phase1-interface     edit "DialupWarrior"         set type dynamic         set interface "wan1"         set dhgrp 2         set peertype one         set xauthtype auto         set mode aggressive         set mode-cfg enable         set proposal aes256-md5 aes256-sha1         set negotiate-timeout 15         set peerid "defined a peerid"    <----- this would be the groupname for us cisco guys         set authusrgrp "DialRemUSERS"         set ipv4-start-ip 192.168.91.1         set ipv4-end-ip 192.168.91.10         set ipv4-netmask 255.255.255.0         set ipv4-split-include "NETWORK_192.168.254.0"   <-----optional for split tunnel define a addr or addrgroups         set psksecret ENC BAAAACrBjgTZw9qZM1PBAIvf639qcM5GHQ3YruMjynTbxfq2raDZXa2jmdqd7zMdkVw4VRMhng2Uz4qRT3fHNrJK44a+Qf0stu5eBFcK7KvBOlEf     next

config vpn ipsec phase2-interface     edit "DialupWarrior2"         set keepalive enable         set pfs disable         set phase1name "DialupWarrior"         set proposal aes256-md5 aes256-sha1     next

and in your group you have the uses

 

config user group     edit "DialRemUSERS"             set member "user1" "user2" "user3" "user4" "user5" "kfelixsslvpn"                  next end

 

 

 

 

Diag debug flow is your friend btw. I would suggest you use it for diagnostics of your current problems.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Namesuser
New Contributor

*set type dynamic *set dhgrp 2 (currently on 5) *set peertype one (is this option only in CLI?) *set proposal aes256-md5 aes256-sha1 (Currently aes256-sha1) *set negotiate-timeout 15 (Can' t see this option - cli only?) *set peerid "defined a peerid" (we currently have accept any peer ID, however the VPN group as user group - should it still work?) -phase2 *set keepalive enable *set pfs disable *set proposal aes256-md5 aes256-sha1 Diag debug flow is your friend btw. I would suggest you use it for diagnostics of your current problems.

 

HI Ken - Thanks alot for the response.

 

I've made some notes on the above, can you advise further please?

 

Also is the config I currently have incorrect?  I think the Keepalive has not been enabled, probably causing the current config to only allow one person?

emnoc
Esteemed Contributor III

I don't  think  that's t he issues but without seeing the "actual" cfg I can't offer a definite answer, but what you posted does seems strange or unique. I never heard of one  active sessions unless it was a  ip_assigment issue

 

Are you logging in with a 2nd unique user or  the same login?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors