Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎05-10-2024 06:13 AM

Redundant dial-up VPN FG to FG

Hi FortiGate admins

In my case I need a redundant dial-up VPN from branch office FG to HQ FG, where HQ FG has 2 WAN in a SD-WAN zone.

dual-dial-up-vpn.png

A "classic" setup didn't work, I see the tunnels flapping from the first to the second and vice versa.

When configuring one tunnel (A or B) it works well, but enabling the two seems problematic.

Didn't troubleshoot deeper so far, so I don't know the root cause yet.

Any advice would be appreciated?

AEK
AEK
Labels:
333
0 Kudos
2 Solutions
ezhupa
Staff
Staff
In response to ezhupa

Created on ‎05-10-2024 08:51 AM

Most likely you are having the same issue described in the below KB if I understood the setup correctly:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPSEC-issues-after-upgrading-7-2-6-...

View solution in original post

284
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ezhupa

Created on ‎05-10-2024 11:16 AM

also you probably need to disable static route injection (set add-route disable) then set up two static routes with different metric. We regularly use BGP for this kind of set up since it's more automatic.

Toshi

View solution in original post

243
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-10-2024 07:07 AM

What is your classic setup? Did you create two phase1-interfaces on the HQ side and set different server IDs then used them as peer IDs on the remote office side?

Toshi

310
0 Kudos
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎05-10-2024 08:44 AM

I tried that as well.

It seems when tunnel 1 is up, tunnel 2 is deleted, and vice versa after few seconds.

ike 0:tun1_0:69142:tun12:470108: added dynamic IPsec SA proxyids, new serial 1
ike 0:tun2_0:470105: moving route 10.10.0.0/255.255.0.0 oif tun2_0(5090) metric 1 priority 1 to 0:tun1_0:470108
ike 0:tun2_0:470105: del route 10.10.0.0/255.255.0.0 tunnel 1.2.3.4 oif tun2_0(5090) metric 1 priority 1
ike 0:tun2_0: deleting
ike 0:tun2_0: flushing
ike 0:tun2_0: deleting IPsec SA with SPI 1f517e2a
ike 0:tun2_0:tun22: deleted IPsec SA with SPI 1f517e2a, SA count: 0
 
AEK
AEK
288
0 Kudos
ezhupa
Staff
Staff
In response to AEK

Created on ‎05-10-2024 08:49 AM Edited on ‎05-10-2024 08:50 AM

Hello AEK,

Can you try allowing phase2 overlap on the phase2 config?
config vpn ipsec phase2-interface
    edit <name of phase2>
        set route-overlap allow
end

286
0 Kudos
ezhupa
Staff
Staff
In response to ezhupa

Created on ‎05-10-2024 08:51 AM

Most likely you are having the same issue described in the below KB if I understood the setup correctly:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPSEC-issues-after-upgrading-7-2-6-...

285
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ezhupa

Created on ‎05-10-2024 11:16 AM

also you probably need to disable static route injection (set add-route disable) then set up two static routes with different metric. We regularly use BGP for this kind of set up since it's more automatic.

Toshi

244
AEK
SuperUser
SuperUser

Created on ‎05-10-2024 02:42 PM

Thanks to both, Toshi & Zhupa

Did what you said and it worked perfectly.

AEK
AEK
212
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.