FortiOS 5.0.9 using an interface based L2L tunnel with 3 phase2.
I am only able to bring up 2 phase 2's at a time, when I attempt to bring up the 3rd phase 2 (either in VPN monitor or with interesting traffic) the phase 2 listed below it in the list goes down.
All tunnels pass traffic properly when they are up, I just can't have all 3 up at the same time.
The 3 phase 2 are have the same config except for the source network is a different /24.
There is a route to the destination network pointing out the VPN sub-interface and 1 policy specifying the three source networks and the one destination network. Like I said communication through each P2 works fine when the tunnel is up, I just can't get all 3 P2 to stay up at the same time. Has anyone seen this or have any advise?
Thanks,
Paul
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There is still some Source/destination left:
click on the "settings" Icon on the right side, there you have Proxy ID Source and Proxy ID Destination
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
The other side of the tunnel is a Juniper SRX100.
Here is the tunnel list:
list all ipsec tunnel in vd 1 ------------------------------------------------------ name=MyTunnel ver=1 serial=2 a.b.c.d:0->w.x.y.z:0 lgwy=static tun=intf mode=auto bound_if=19 proxyid_num=3 child_num=0 refcnt=8 ilast=4 olast=4 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=226378 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=MyTunnel proto=0 sa=0 ref=1 auto_negotiate=0 serial=1 src: 0:10.99.68.0/255.255.255.0:0 dst: 0:10.5.102.0/255.255.255.0:0 proxyid=MyTunnel-2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=2 src: 0:10.99.9.0/255.255.255.0:0 dst: 0:10.5.102.0/255.255.255.0:0 proxyid=MyTunnel-3 proto=0 sa=0 ref=1 auto_negotiate=0 serial=3 src: 0:10.99.44.0/255.255.255.0:0 dst: 0:10.5.102.0/255.255.255.0:0 ------------------------------------------------------ name=remote_gw ver=1 serial=1 a.b.c.d:0->0.0.0.0:0 lgwy=static tun=tunnel mode=dialup bound_if=19 proxyid_num=0 child_num=0 refcnt=5 ilast=5933087 olast=5933087 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0
FWIW
If you have a static route vpvn ( i.e st interface ) you can still get by with 0.0.0.0/0:0 on the proxy-id for the juniper SRX to FGT.
Just create the correct routes on the branchSRX and the fwpolicies.
Match the same on the FGT side of things also.
ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.