Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
matteocostanzo
New Contributor II

No autoRekey Site to Site Watchguard

Hi everyone

i have created various site to site vpn between my fortinet and some watchguard firewalls.

I don't understand why the tunnels fail to do autoRekey and at the end of the lifetime. even if they look up. in truth they are no longer working and I have to force a rekey by hand.

sometimes even on the watchguard side and not on the fortinet side.

some idea ??

9 REPLIES 9
adambomb1219
SuperUser
SuperUser

Do all phase 1/2 metrics match?  Do they have the same tunnel lifetime on both sides?  is DPD enabled on both sides?

matteocostanzo
New Contributor II

all parameters match. DPD enabled on both with the same values.
all the same on both sides.

the only way to get the VPNs working is a manual reKey on the watchguard.

both fortinet and watchguard devices have the latest firmware version available.

I do not understand.

srajeswaran

Just a guess, can you check if the Fortigate is always in "responder" role? Run diagnose vpn ike gateway list name <Name> , and look for role specified under "direction: "

 

If thats the case, may be there can be a configuration on the watchguard side to allow incoming VPN connections (may be enabling the service under interface or something like that) .

 

 

 

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
matteocostanzo
New Contributor II

I confirm that fortinet is in this mode.

direction: responders

I don't understand what I should check watchguard side. maybe i don't understand from english to italian.

if you can explain it to me in another way. ??

otherwise I can make changes on the fortinet side to solve ??

srajeswaran

Some vendors don't allow the IKE/VPN service by default on their interfaces, which means we cannot initiate a tunnel towards them, but they can initiate a tunnel and when we reply they will process that even if the service is not enabled on the interface.

For example, we use "set allowaccess ping https ssh http telnet" under Fortigate interface configuration to allow these services,lets say we don't have ping enabled under this interface, it means no one can ping us, but we can ping and it will work. I am talking about a similar option for ike/vpn on the watchguard side.

I think if you just clear the tunnel from Fortigate side, it will try to initiate a new tunnel , can you check if the "direction" becomes Initiator in Fortigate side?
If we see the fortigate side as initiator then my theory is wrong and it could be some other issue.


 

 

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
matteocostanzo

i knocked the whole tunnel down from the fortinet side.

resurfaced making a traffic request.

and now it says:

direction: initiator

what does this mean??

srajeswaran

Thanks for testing, this confirms it is mostly not a service allow issue, but you mentioned that you had to start traffic to initiate the tunnel again.

Can you check if "auto-negotiate" is enabled under phase2 interface?

 

# config vpn ipsec phase2-interface
    edit <phase2_name>
        set auto-negotiate enable
    next
end

 

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
matteocostanzo

no it was disabled now i enabled it.

Right ??

Screenshot 2023-05-18 141424.png

srajeswaran

Great, I believe this will fix the issue. Please monitor.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors