Solved

Fortigate IPSec VPN interface

Posted on 2011-10-14
6
1,586 Views
Last Modified: 2012-06-21
I upgraded to FortiOSv4.0,build0458,110627 (MR3 Patch 1) on our central Fortigate router.
An Auto Key (IKE) IPSec VPN is configured over the WAN.01 link.

I recently phisically reconnected the WAN.01 link from port11 to port15 on the central FGT to increase performance, since only ports[12..15] use FortiASIC HW acceleration.
This involved replicating FW rules, routing and other settings from port11 to port15.

As a result, I cannot change the "Local Interface" under phase1 settings.
When I try to switch from port11 to port15 I get the message:
"Invalid IP range."

I set the administrative and link status of port 11 to "down".

This is the private range I use for the remote Fortigate units:

config router static
    edit 5
        set device "to Spokes"
        set dst 192.168.0.0 255.255.0.0
    next
end

Open in new window


The local subnet for the central Fortigate is set to 192.168.1.0/24.

Another consequence of switching ports is that now the majority of outgoing network traffic from local LAN is flowing through the WAN.02 link which is located on port12, even though port11 is selected in phase1 configuration. FW policy statistics show around 500000 packets for port15 and 60 million packets on port12.

The destination address in phase2 quick mode selector on the remote fortigate units is set to:
192.168.0.0/17.

I unset all load balancing related weight settings on all interfaces.

What is eluding me here?
Any help is greatly appreciated.

0
Comment
Question by:proteus-IV
  • 3
6 Comments
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Can you just delete the old config and upload a new config that looks like you want it to look?

Good luck,
Steve
0
 

Accepted Solution

by:
proteus-IV earned 0 total points
Comment Utility
I upgraded the firmware on the router to the freshly released v4.0,build0482,110920 (MR3 Patch 2)
and now I am able to change the aforementioned setting.

0
 

Author Closing Comment

by:proteus-IV
Comment Utility
Everything is working fine now.
0
 
LVL 4

Expert Comment

by:xanandu
Comment Utility
NOTE: this issue was not limited to only you, there were a TON of bugs in 4.0MR3 and 4.0MR3P1, they have largely been fixed in MR3P2, and MR3P3 since its release.
0
 

Author Comment

by:proteus-IV
Comment Utility
Yea, you're right.

I found several other bugs in the meantime.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now