Description
This article describes that in the FortiOS firmware, a VPN interface name is limited to 15 characters.
This article will help to best utilize IPsec VPN phase_1 naming.
Scope
For all FortiOS versions before 7.0.14, 7.2.7, 7.4.3.
Solution
There is a limitation in the maximum number of characters available when configuring the Phase 1 Interface name parameters for an IPsec VPN tunnel on the FortiGate. The IPsec VPN interface name is limited to 15 characters.
As an example of how this works:
When an IPsec dialup interface related to the IPsec phase1 called 'P1' is created it is given a name of the form 'P1_<n>' and the '_<n>' is taken into account in the phase1 name length. The size of '_<n>' is not predictable but it is at least 2 characters ('_' + one digit).
Consequences for dynamic phase1 users using interface mode:
The IPsec dialup interface name will be named <phase1>_n. With 'n' as the index of the tunnel and the dialup name limited to 15 characters or less.
If the phase1 IPsec dialup interface name is 14 characters long or more, any tunnel will fail.
For example: Tunnels_with15.
The Tunnels_with15_0 and/or Tunnels_with15_1 interface names will have more than 15 characters.
If the phase1 IPsec dialup interface name is 13 characters long, the 11th tunnel will fail.
For example: Tunnels_with1.
The Tunnels_with1_10 and/or Tunnels_with1_11 interface names will have more than 15 characters.
If the phase1 IPsec dialup interface name is 12 characters long, the 101th tunnel will fail.
For example: Tunnels_with.
The Tunnels_with_100 and/or Tunnels_with1_101 interface names will have more than 15 characters.
In the latest FortiOS versions, this limitation has been removed.
This means that the tunnel name can contain 15 characters but the '_<n>' is not taken into account in the phase1 name length.
Regardless of the number of users/devices that will connect be 10 or 100 the tunnel name does not need to shrink to accommodate this.
Notes:
- If the 'net-device' value in the VPN Phase1 interface is disabled, it is possible to name the tunnel with 15 characters regardless of the number of users/devices that will connect.
- But if 'net-device' is enabled, the tunnel's maximum number of characters in the name will be 13.
Output of diag vpn ike gateway:
vd: root/0
name: Hub_and_spokeIP_0
version: 1
interface: wan1 17
addr: 10.109.17.73:500 -> 10.109.17.2:500
tun_id: 10.10.1.3/::10.0.0.3
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.10.1.1 -> 10.10.1.3
created: 4004s ago
peer-id: 10.109.17.2
peer-id-auth: no
auto-discovery: 1 sender
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 0 84eb3febb137bf55/65d46748d31458bf
direction: responder
status: established 4004-4004s ago = 0ms
proposal: aes128-sha256
key: b940b08d80216e4d-4c391828187d61de
lifetime/rekey: 86400/82125
DPD sent/recv: 0000002f/0000001d
peer-id: 10.109.17.2
vd: root/0
name: Tunnel_FortiCli_0
version: 1
interface: wan1 17
addr: 10.109.17.73:500 -> 10.109.21.93:500
tun_id: 10.33.1.10/::10.0.0.6
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 169.254.1.1 -> 0.0.0.0
created: 89s ago
xauth-user: peter
2FA: no
peer-id: 10.109.21.93
peer-id-auth: no
FortiClient UID: 3E112EAB4D534E4E89310246EEC71ADA
assigned IPv4 address: 10.33.1.10/255.255.255.255
IKE SA: created 1/1 established 1/1 time 160/160/160 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 2 eb67b3b091a276f6/9cee3364ca8a139b
direction: responder
status: established 89-89s ago = 160ms
proposal: aes256-sha256
key: f578e233ebc7962c-3c699852caa27f7c-f1b8727f2d4a82dd-afb4b8b672b968e8
lifetime/rekey: 86400/86040
DPD sent/recv: 00000000/00000011
peer-id: 10.109.21.93
