Hi everyone
i have created various site to site vpn between my fortinet and some watchguard firewalls.
I don't understand why the tunnels fail to do autoRekey and at the end of the lifetime. even if they look up. in truth they are no longer working and I have to force a rekey by hand.
sometimes even on the watchguard side and not on the fortinet side.
some idea ??
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do all phase 1/2 metrics match? Do they have the same tunnel lifetime on both sides? is DPD enabled on both sides?
all parameters match. DPD enabled on both with the same values.
all the same on both sides.
the only way to get the VPNs working is a manual reKey on the watchguard.
both fortinet and watchguard devices have the latest firmware version available.
I do not understand.
Just a guess, can you check if the Fortigate is always in "responder" role? Run diagnose vpn ike gateway list name <Name> , and look for role specified under "direction: "
If thats the case, may be there can be a configuration on the watchguard side to allow incoming VPN connections (may be enabling the service under interface or something like that) .
I confirm that fortinet is in this mode.
direction: responders
I don't understand what I should check watchguard side. maybe i don't understand from english to italian.
if you can explain it to me in another way. ??
otherwise I can make changes on the fortinet side to solve ??
Some vendors don't allow the IKE/VPN service by default on their interfaces, which means we cannot initiate a tunnel towards them, but they can initiate a tunnel and when we reply they will process that even if the service is not enabled on the interface.
For example, we use "set allowaccess ping https ssh http telnet" under Fortigate interface configuration to allow these services,lets say we don't have ping enabled under this interface, it means no one can ping us, but we can ping and it will work. I am talking about a similar option for ike/vpn on the watchguard side.
I think if you just clear the tunnel from Fortigate side, it will try to initiate a new tunnel , can you check if the "direction" becomes Initiator in Fortigate side?
If we see the fortigate side as initiator then my theory is wrong and it could be some other issue.
i knocked the whole tunnel down from the fortinet side.
resurfaced making a traffic request.
and now it says:
direction: initiator
what does this mean??
Thanks for testing, this confirms it is mostly not a service allow issue, but you mentioned that you had to start traffic to initiate the tunnel again.
Can you check if "auto-negotiate" is enabled under phase2 interface?
# config vpn ipsec phase2-interface
edit <phase2_name>
set auto-negotiate enable
next
end
no it was disabled now i enabled it.
Right ??
Great, I believe this will fix the issue. Please monitor.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.