Dear Users, I can establish a tunnel to a FortiGate device correctly,
but FortiGate's behavior on IKEv1 rekey events is strange. To summarize:
a NAT'ed initiator establishes the tunnel to FortiGate, then after a
configured period the initiator starts...
Hello everyone,When DPD is enabled on my FortiGate 100D device and the
remote peer has not responded within the DPD timeout interval (governed
by dpd-retrycount and dpd-retryinterval settings) , the FortiGate device
seems to try to actively re-establ...
With regards to traffic selectors, these are clearly defined for IKEv2:
the initiator has a local subnet and requests that the traffic flow
between this local subnet and a remote subnet behind the peer. This is
what it proposes and the responder is f...
Thanks for the detailed explanation. Since route-overlap governs
behavior both for phase 1 and 2, it's risky to enable it since I'd
prefer to have dynamic routing for both phases while changing the
behavior for just phase 1, which I think is impossib...
Thanks for your reply. IKEv2 isn't an option at this point,
unfortunately. IKEv2 would mandate public keys/certificates (at least
with Libreswan), which, in turn, requires a PKI. And my other
stakeholders aren't ready to embrace PKI yet (sigh...). I'...
Thanks for further guidelines. I did turn attention to the port
Libreswan uses on rekeys. The first two Libreswan rekey-triggered Main
Mode exchanges use port 500, the switch to 4500 is made during the 3rd
Main Mode exchange. So the port usage is the...
Thank you for your interest and support. As for your questions: The
Fortigate model is (VM) AWS on-demand. OS version 6.4.8 (I don't control
that system so my info might be inaccurate/incomplete at the moment, but
I can learn all the necessary detail...