As the FortiGate IPsec Wizard didn't led to success, we're trying to
setup a certificate based dialup vpn by-hand.ike
V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: incoming proposal:ike
V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = ...
Putting an IPsec tunnel onto a loopback interface has led continuously
to an error of unknown SPI, like: 2024-03-05 21:32:19.150302 ike
V=root:0:IPsec_demo_0:IPsec_demo:2975: send SA_DONE SPI
0x94f42452024-03-05 21:32:19.221924 ike V=root:0: unknown ...
Or as address object: config firewall address edit "publicIP_part_1" set
allow-routing enable set subnet 0.0.0.0/5 next edit "publicIP_part_2"
set allow-routing enable set subnet 8.0.0.0/7 next edit
"publicIP_part_3" set allow-routing enable set subn...
This leads to a set of subnets...
0.0.0.0/58.0.0.0/711.0.0.0/812.0.0.0/616.0.0.0/432.0.0.0/364.0.0.0/396.0.0.0/6100.0.0.0/10100.128.0.0/9101.0.0.0/8102.0.0.0/7104.0.0.0/5112.0.0.0/5120.0.0.0/6124.0.0.0/7126.0.0.0/8128.0.0.0/3160.0.0.0/5168.0.0.0/6168...
Hello @Toshi_Esumi , as the FG is serving as dialin server, we do not
worry about the CGNAT (which is used internally as well). But you're
right: it's ISP address space.
Hello @ezhupa ,the solution of placing it on a 2ndary interface works
fine. We would like to use a loopback interface for limiting access by
another policy.
Hi @hbac ,to keep it simple, we tried to propose installing software in
case of BYOD - therefore, we haven't tried the FortiClient (was works
well at least on MacOS). On the client side there are no more parameters
selectable.Best regards!
