Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brustolin
New Contributor II

Created on ‎01-06-2023 01:22 PM

Multiple VPN IPSec using different IP's

Hello guys

 

Currently we have a necessity of deploying a lot of IPSec VPN's in different IP's from my WAN interface

For some reason that I don't know the VPN's only works if i enable "ping" with secondary addresses on Wan interface

 

Currently I have 30 IP's in secondary ips on my WAN. The FortiOS have a limitation of 32 IP's

If I don't enable ping, IPSec dont works and I receive this output

 

ike 0:ecea911495885ac4/0000000000000000:3203: responder: main mode get 1st message...
ike 0:ecea911495885ac4/0000000000000000:3203: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ecea911495885ac4/0000000000000000:3203: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:ecea911495885ac4/0000000000000000:3203: negotiation result
ike 0:ecea911495885ac4/0000000000000000:3203: proposal id = 1:
ike 0:ecea911495885ac4/0000000000000000:3203: protocol id = ISAKMP:
ike 0:ecea911495885ac4/0000000000000000:3203: trans_id = KEY_IKE.
ike 0:ecea911495885ac4/0000000000000000:3203: encapsulation = IKE/none
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ecea911495885ac4/0000000000000000:3203: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_GROUP, val=MODP1536.
ike 0:ecea911495885ac4/0000000000000000:3203: ISAKMP SA lifetime=86400
ike 0:ecea911495885ac4/0000000000000000:3203: SA proposal chosen, matched gateway VPN_WINOV_SP
ike 0: found VPN_WINOV_SP 200.195.149.26 6 -> 170.231.15.66:500
ike 0:VPN_WINOV_SP:3203: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN_WINOV_SP:3203: cookie ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (ident_r1send): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:3201: d3fcd5f5f857c37f/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_WINOV_SP:3201: expiring IKE SA d3fcd5f5f857c37f/0000000000000000
ike 0:VPN_WINOV_SP: deleting
ike 0:VPN_WINOV_SP: deleted

 

Am I doing something wrong?

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
Labels:
1156
10 REPLIES 10
Brustolin
New Contributor II

Created on ‎11-09-2023 04:10 AM

Hi Mahin,

 

I opened a support ticket and they told me it is not possible get a VPN without secondary addresses on interface.
On the FortiOs 7.4 is possible insert more than 200 IP's in secondary addresses. This solved my problem

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
70
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.