Solved

Fortigate IPSec VPN interface

Posted on 2011-10-14
6
1,601 Views
Last Modified: 2012-06-21
I upgraded to FortiOSv4.0,build0458,110627 (MR3 Patch 1) on our central Fortigate router.
An Auto Key (IKE) IPSec VPN is configured over the WAN.01 link.

I recently phisically reconnected the WAN.01 link from port11 to port15 on the central FGT to increase performance, since only ports[12..15] use FortiASIC HW acceleration.
This involved replicating FW rules, routing and other settings from port11 to port15.

As a result, I cannot change the "Local Interface" under phase1 settings.
When I try to switch from port11 to port15 I get the message:
"Invalid IP range."

I set the administrative and link status of port 11 to "down".

This is the private range I use for the remote Fortigate units:

config router static
    edit 5
        set device "to Spokes"
        set dst 192.168.0.0 255.255.0.0
    next
end

Open in new window


The local subnet for the central Fortigate is set to 192.168.1.0/24.

Another consequence of switching ports is that now the majority of outgoing network traffic from local LAN is flowing through the WAN.02 link which is located on port12, even though port11 is selected in phase1 configuration. FW policy statistics show around 500000 packets for port15 and 60 million packets on port12.

The destination address in phase2 quick mode selector on the remote fortigate units is set to:
192.168.0.0/17.

I unset all load balancing related weight settings on all interfaces.

What is eluding me here?
Any help is greatly appreciated.

0
Comment
Question by:proteus-IV
  • 3
6 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36982085
Can you just delete the old config and upload a new config that looks like you want it to look?

Good luck,
Steve
0
 

Accepted Solution

by:
proteus-IV earned 0 total points
ID: 37006061
I upgraded the firmware on the router to the freshly released v4.0,build0482,110920 (MR3 Patch 2)
and now I am able to change the aforementioned setting.

0
 

Author Closing Comment

by:proteus-IV
ID: 37035252
Everything is working fine now.
0
 
LVL 4

Expert Comment

by:xanandu
ID: 37031580
NOTE: this issue was not limited to only you, there were a TON of bugs in 4.0MR3 and 4.0MR3P1, they have largely been fixed in MR3P2, and MR3P3 since its release.
0
 

Author Comment

by:proteus-IV
ID: 37036928
Yea, you're right.

I found several other bugs in the meantime.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question