Solved

Fortigate IPSec VPN interface

Posted on 2011-10-14
6
1,607 Views
Last Modified: 2012-06-21
I upgraded to FortiOSv4.0,build0458,110627 (MR3 Patch 1) on our central Fortigate router.
An Auto Key (IKE) IPSec VPN is configured over the WAN.01 link.

I recently phisically reconnected the WAN.01 link from port11 to port15 on the central FGT to increase performance, since only ports[12..15] use FortiASIC HW acceleration.
This involved replicating FW rules, routing and other settings from port11 to port15.

As a result, I cannot change the "Local Interface" under phase1 settings.
When I try to switch from port11 to port15 I get the message:
"Invalid IP range."

I set the administrative and link status of port 11 to "down".

This is the private range I use for the remote Fortigate units:

config router static
    edit 5
        set device "to Spokes"
        set dst 192.168.0.0 255.255.0.0
    next
end

Open in new window


The local subnet for the central Fortigate is set to 192.168.1.0/24.

Another consequence of switching ports is that now the majority of outgoing network traffic from local LAN is flowing through the WAN.02 link which is located on port12, even though port11 is selected in phase1 configuration. FW policy statistics show around 500000 packets for port15 and 60 million packets on port12.

The destination address in phase2 quick mode selector on the remote fortigate units is set to:
192.168.0.0/17.

I unset all load balancing related weight settings on all interfaces.

What is eluding me here?
Any help is greatly appreciated.

0
Comment
Question by:proteus-IV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36982085
Can you just delete the old config and upload a new config that looks like you want it to look?

Good luck,
Steve
0
 

Accepted Solution

by:
proteus-IV earned 0 total points
ID: 37006061
I upgraded the firmware on the router to the freshly released v4.0,build0482,110920 (MR3 Patch 2)
and now I am able to change the aforementioned setting.

0
 

Author Closing Comment

by:proteus-IV
ID: 37035252
Everything is working fine now.
0
 
LVL 4

Expert Comment

by:xanandu
ID: 37031580
NOTE: this issue was not limited to only you, there were a TON of bugs in 4.0MR3 and 4.0MR3P1, they have largely been fixed in MR3P2, and MR3P3 since its release.
0
 

Author Comment

by:proteus-IV
ID: 37036928
Yea, you're right.

I found several other bugs in the meantime.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
The ideal material to secure cables 7 44
VPN connection 7 41
Upgrading from Sonicwall Tz210 6 37
Fortigate SSL-VPN Split Tunneling question 4 19
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question