Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ystrobbe
New Contributor

VPN Tunnel not showing in IPsec Policy

Hi all, Im trying to setup a IPsec VPN between our 2 offices. HQ has a FG200B with MR3 Patch 14 and the branch has a FG40C with MR3 Patch 14. First i configured the FG40C following the cookbook with no problem i could set everything as told in the cookbook. But when i did the same on the FG200B i could setup phase 1 and phase 2 but when i go to policies to make an IPsec Policy At VPN tunnel is saying ' Click to set...' But when u click it nothing happens. No tunnels showing up! There is on other IPsec vpn configures for dial in through FortiClient. But this is configured on an other WAN port. We have 2 providers and one we use for remote client and the other we wil use to interconnect the offices. Anybody has an idea what could be the problem?
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

I think you are getting confused by the 2 IPsec tunnel modes available. The first is called " Policy based" and is historical. You need a policy with action " ENCRYPT" for this. The addresses used in the policy are implicitely used to construct a route to the remote end. The second, recommended way is called " Route based" or " Interface mode" . Here, when you create a phase1 a virtual interface is created for the tunnel end. This is treated like any other port: you allow traffic into and out of the tunnel by policies from ' internal' to the virtual tunnel interface, with action ACCEPT. You need a route for the remote subnet, pointing to the tunnel interface. This is much more flexible in regards to routing, NAT etc. than the older variant. If you now cannot select the tunnel I bet the policy' s action is ENCRYPT, but the phase1 is in Interface Mode. You cannot change that after the first setting; you have to recreate the phase1 in order to change the mode.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Dipen
New Contributor III

ede_pfau is correct....Although " Policy Mode" is outdated and even not recommended by Fortigate....Unfortunately the Cookbook still describes the " Policy Mode" only. Please delete the existing configuration from both appliances and configure from scratch using " Interface" mode. Interface Mode will create virtual Interfaces and you need to select these Virtual interfaces in Policy instead of " WAN" or " External" Also action simply will be " allow" and not " IPSEC" or " Encrypt"

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors