Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortiNoob007
New Contributor II

Swapping Firewalls VPN Setup Command Line

Can I change an IPsec VPN setup that was originally setup from FortiGate to Cisco, to FortiGate to FortiGate? I guess when multiple subnets are on the remote or local network, this setup matters. My case is the following. I'm updating a lot of Sophos firewalls, I need to setup the VPN from FortiGate to Cisco for swapping out units. Then when I swap out the last unit at our main location, which all the other locations connect to, can I simply update the VPN with some type of command line command. If I had to setup a new VPN starting from scratch, then a lot of rules and other things would also need to be updated. Updating the VPN type would make this upgrade process a lot easier. Is this possible?

7 REPLIES 7
fortiNoob007
New Contributor II

Better yet, can I just setup 2 FortiGate firewalls with a IPsec VPN with selecting the device type of Other? Then I can just use the same IPsecVPN when swapping and not change anything. Is there an advantage to selecting device type of FortiGate?

hbac
Staff
Staff

Hi @fortiNoob007,

 

I believe it is possible. You just need to make sure all settings match on both FortiGates. 

 

Regards, 

sahmed_FTNT
Staff
Staff

You can do it, but you need to make sure all settings are identical with the remote peer.

 

I would say the easiest way will be Fortinet IPSEC wizard on the new device, you can just enter the subnets and it will do the rest ( policy and routes)

Security all we want
salemneaz
Staff
Staff

you many need to input the pre shared key, because when you use the wizard it generates a random pre shared key.

fortiNoob007
New Contributor II

I have the IPsec VPNs working. However, there is an issue. I have 2 subnets at the firewall that is a Sophos firewall. If I add both remote networks to the setup, the tunnel seems to randomly work with 1 of the 2 subnets. Both the Sophos firewall and the Fortigate show the tunnel working fine, but only traffic from 1 subnet will work. If I force the tunnel down, then up, they both work for about a minute, then 1 randomly stops and the other keeps working. I have it setup for testing now with only 1 subnet on each end, it has been working without disruption for around 2 days now. But the problem seems to be when I add the 2nd remote subnet. I have multiple Sophos firewalls with multiple subnets routing between them without any issues. I check my static routes and the firewall rules, all traffic is setup to correctly route and allow the flow. I have confirmed if I add say subnet A only, it works fine, then I remove subnet A and add subnet B as the remote network and it works fine again. But when both are added, it seems to get really goofy. I found this article,  but I haven't tried these steps yet. Any thoughts?

hbac

Hi @fortiNoob007,

 

How many phase2 selector do you have? You can use 'addr_subnet' instead of 'Named address'. 

 

Regards,  

fortiNoob007
New Contributor II

Trust me, I've tried it all. I'm now going to try this thought process in the link below. Seems like that would be the most combatable across all firewall operating systems. Just need to make sure the routing is correct and the rules are set, which isn't an issue at all. I'll update after I have time after hours to try this setup. 

https://www.reddit.com/r/fortinet/comments/g146ns/ipsec_s2s_vpn_with_multiple_subnets_on_each_site/

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors