Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chanm
Staff
Staff

Created on ‎11-16-2023 10:58 PM Edited on ‎11-16-2023 10:59 PM By Community Manager

Article Id 284742

Troubleshooting Tip: IPsec Wizard Next button is greyed out when using Easy Configuration key on spoke FortiGate

Description

This article describes how to resolve the issue where, after using an Easy Configuration key to configure a spoke FortiGate through the IPsec Wizard, the Next button on the Policy & Routing page is greyed out and the IPsec Wizard will not complete the configuration.

 

Next button greyed out.png
Scope Spoke FortiGate when using Easy Configuration key copied from hub FortiGate.
Solution

The Easy Configuration key is a Base64-encoded string that contains the information needed from the hub FortiGate to complete the IPsec Wizard on the spoke FortiGate. Using a Base64 decoder, it is possible to decode the following Easy Configuration key:

 

eyJodWJHYXRld2F5SXAiOiIxNzIuMTYuMS4xIiwiaHViVHVubmVsIjoiMTAuMTAuMS4xIiwiaHViSW5kZW50aWZpZXIiOjY1NDAwLCJ
pbmRlbnRpZmllciI6NjU0MDAsImh1YklkZW50aWZpZXIiOjY1NDAwLCJpZGVudGlmaWVyIjo2NTQwMCwidHVubmVsSXAiOiIxMC4xMC
4xLjMifQ==

 

The decoded result below reflects the configuration that was entered on the hub FortiGate when creating its IPsec tunnel:

 

{"hubGatewayIp":"172.16.1.1","hubTunnel":"10.10.1.1","hubIndentifier":65400,"indentifier":65400,
"hubIdentifier":65400,"identifier":65400,"tunnelIp":"10.10.1.3"}

 

The spoke FortiGate’s IPsec Wizard will not complete if the configuration contained in the Easy Configuration key conflicts with the existing configuration. For most conflicts, the GUI will explicitly display an error message:

 

conflict.png

 

However, if the Next button is greyed out on the Policy & Routing page with no error message, review the BGP configuration on the spoke FortiGate. If the spoke FortiGate already has the hub tunnel IP configured as a BGP peer, then this behavior will be observed.

To resolve the issue, remove the spoke FortiGate’s BGP peering to the hub tunnel IP:

 

spoke_FortiGate # sh router bgp

config router bgp

    config neighbor

        edit "10.10.1.1"

            set remote-as 65400

        next

    end

    config redistribute "connected"

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

    config redistribute6 "connected"

    end

    config redistribute6 "rip"

    end

    config redistribute6 "ospf"

    end

    config redistribute6 "static"

    end

    config redistribute6 "isis"

    end

end

 

spoke_FortiGate # config router bgp

 

spoke_FortiGate (bgp) # config neighbor

 

spoke_FortiGate (neighbor) # delete 10.10.1.1

 

spoke_FortiGate (neighbor) # end

 

spoke_FortiGate (bgp) # end

 

After doing so, use the IPsec Wizard once more and re-apply the Easy Configuration key. The IPsec Wizard can now proceed past the Policy & Routing page to complete the configuration:

 

fixed.png

 

A common reason for this issue to occur is if an Easy Configuration key with the same hub tunnel BGP peering IP had previously been applied to the spoke FortiGate and then the IPsec tunnel was deleted. If the tunnel was deleted in the GUI under VPN -> IPsec Tunnels, the BGP configuration would still exist and cause the conflict.
331
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.