I have a FortiGate configured with two tunnels on two Ethernet ports
with the intention to do load balancing or traffic steering on them.
They go through a router to converge onto one port/IP at another
FortiGate (a.k.a. server). The server is config...
FortiGate 7.4.3 using both VM and 60F platforms.I set up two tunnels in
a zone with duplication=force outbound and de-duplication enable
inbound. On the origination side, outbound packets are duplicated on
both tunnels and are de-duplicated on receiv...
I should have googled first - I found I need to make two separate
phase2-interface for each local subnet in a dialup tunnel as it only
advertises one to the server. I don't get why, but oh well.
I have another problem related to this configuration. I added a second
src-subnet at client and the server is ignoring it.This is from diag
debug application ike -1:client side:IPsec SA selectors #src=2 #dst=1src
0 4 0:192.168.2.0/255.255.255.0:0src ...
Thanks! So far so good! Now the debug flow says enter interface con1_1
and output con1_1, and enter con1_0 and output con1_0. This fix seems to
make sense too.
Also on server I tried every v4-ecmp-mode and it just seems random which
path it chooses. I did a TCP connect and the response debug flow
wasenter IPSec interface con1,tun_id=192.168.11.1output to IPSec tunnel
con1_1, tun_id=192.168.12.1, vrf 0This i...
Both server side and client should be set to weight based according to
my config. I have observed however that once a session starts on an
interface it stays on it, at least at originating side. Perhaps I am
unclear how it works at the responding sid...
