Hi FortiGate admins
In my case I need a redundant dial-up VPN from branch office FG to HQ FG, where HQ FG has 2 WAN in a SD-WAN zone.
A "classic" setup didn't work, I see the tunnels flapping from the first to the second and vice versa.
When configuring one tunnel (A or B) it works well, but enabling the two seems problematic.
Didn't troubleshoot deeper so far, so I don't know the root cause yet.
Any advice would be appreciated?
Solved! Go to Solution.
Most likely you are having the same issue described in the below KB if I understood the setup correctly:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPSEC-issues-after-upgrading-7-2-6-...
also you probably need to disable static route injection (set add-route disable) then set up two static routes with different metric. We regularly use BGP for this kind of set up since it's more automatic.
Toshi
What is your classic setup? Did you create two phase1-interfaces on the HQ side and set different server IDs then used them as peer IDs on the remote office side?
Toshi
I tried that as well.
It seems when tunnel 1 is up, tunnel 2 is deleted, and vice versa after few seconds.
ike 0:tun1_0:69142:tun12:470108: added dynamic IPsec SA proxyids, new serial 1
ike 0:tun2_0:470105: moving route 10.10.0.0/255.255.0.0 oif tun2_0(5090) metric 1 priority 1 to 0:tun1_0:470108
ike 0:tun2_0:470105: del route 10.10.0.0/255.255.0.0 tunnel 1.2.3.4 oif tun2_0(5090) metric 1 priority 1
ike 0:tun2_0: deleting
ike 0:tun2_0: flushing
ike 0:tun2_0: deleting IPsec SA with SPI 1f517e2a
ike 0:tun2_0:tun22: deleted IPsec SA with SPI 1f517e2a, SA count: 0
Hello AEK,
Can you try allowing phase2 overlap on the phase2 config?
config vpn ipsec phase2-interface
edit <name of phase2>
set route-overlap allow
end
Most likely you are having the same issue described in the below KB if I understood the setup correctly:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPSEC-issues-after-upgrading-7-2-6-...
also you probably need to disable static route injection (set add-route disable) then set up two static routes with different metric. We regularly use BGP for this kind of set up since it's more automatic.
Toshi
Thanks to both, Toshi & Zhupa
Did what you said and it worked perfectly.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.