Solved

Fortigate IPSec VPN interface

Posted on 2011-10-14
6
1,596 Views
Last Modified: 2012-06-21
I upgraded to FortiOSv4.0,build0458,110627 (MR3 Patch 1) on our central Fortigate router.
An Auto Key (IKE) IPSec VPN is configured over the WAN.01 link.

I recently phisically reconnected the WAN.01 link from port11 to port15 on the central FGT to increase performance, since only ports[12..15] use FortiASIC HW acceleration.
This involved replicating FW rules, routing and other settings from port11 to port15.

As a result, I cannot change the "Local Interface" under phase1 settings.
When I try to switch from port11 to port15 I get the message:
"Invalid IP range."

I set the administrative and link status of port 11 to "down".

This is the private range I use for the remote Fortigate units:

config router static
    edit 5
        set device "to Spokes"
        set dst 192.168.0.0 255.255.0.0
    next
end

Open in new window


The local subnet for the central Fortigate is set to 192.168.1.0/24.

Another consequence of switching ports is that now the majority of outgoing network traffic from local LAN is flowing through the WAN.02 link which is located on port12, even though port11 is selected in phase1 configuration. FW policy statistics show around 500000 packets for port15 and 60 million packets on port12.

The destination address in phase2 quick mode selector on the remote fortigate units is set to:
192.168.0.0/17.

I unset all load balancing related weight settings on all interfaces.

What is eluding me here?
Any help is greatly appreciated.

0
Comment
Question by:proteus-IV
  • 3
6 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36982085
Can you just delete the old config and upload a new config that looks like you want it to look?

Good luck,
Steve
0
 

Accepted Solution

by:
proteus-IV earned 0 total points
ID: 37006061
I upgraded the firmware on the router to the freshly released v4.0,build0482,110920 (MR3 Patch 2)
and now I am able to change the aforementioned setting.

0
 

Author Closing Comment

by:proteus-IV
ID: 37035252
Everything is working fine now.
0
 
LVL 4

Expert Comment

by:xanandu
ID: 37031580
NOTE: this issue was not limited to only you, there were a TON of bugs in 4.0MR3 and 4.0MR3P1, they have largely been fixed in MR3P2, and MR3P3 since its release.
0
 

Author Comment

by:proteus-IV
ID: 37036928
Yea, you're right.

I found several other bugs in the meantime.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now