Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adbgz
New Contributor II

Created on ‎03-28-2024 02:18 AM

HOB/SPOKES : VPN Dial-UP issue when spoke chang IP public

Hi,
I had configured two VPNs/Site betwen HQ and sites (Hub/spoke) for resilience. One of two VPN is a Dialup over 4G and the other is an IPSEC site-to-site over Radio links (Fluidmesh). no loadbalanacing or SDWAN in this architecture.

 

So my problem is when the Spoke chang the IP Publics (VPN dialup over 4G), is creating a new phase 1/phase2 on Hub but the old phase1/phase2 still stuck on Hub so i get 2 connections dialup over the same vpn and is causing disconnecting on communication between 2 sites.dial-up.png

 

Labels:
287
0 Kudos
5 REPLIES 5
vermat51
New Contributor

Created on ‎03-28-2024 02:28 AM Edited on ‎03-31-2024 04:04 PM

If I am not mistaken once the dialed up VPN dials up it should show as a Connected route and that is why since it is dynamic. I could be wrong. I would need to lab that out. I see this is your just putting the dial up VPN on the FGT vs individual machines https://omegle.onl/ .

280
ozkanaltas
Contributor III

Created on ‎03-28-2024 02:32 AM

Hello @adbgz ,

 

Did you configure dpd (dead peer detection) on your ipsec configuration? DPD will detect peer status and change tunnel status to down for the old tunnel. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
276
adbgz
New Contributor II

Created on ‎03-28-2024 06:11 AM

hi ozkanaltas,

I disabled it, because I need the tunnel stay up even if there is no traffic, because the equipment on the remote site only responds to commands launched from the HQ, so in most time there is no traffic in tunnel and i think if i applied dpd it will put the tunnel (the good one) down. 

244
0 Kudos
ozkanaltas
Contributor III

Created on ‎03-28-2024 06:28 AM

Hi @adbgz ,

 

I think you can use dpd with on-demand mode. This mode is triggered if one peer sends a packet and the remote side does not respond to this package, dpd removes the tunnel. 

 

You can read this article about dpd on dial-up tunnels.

 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-DPD-effect-on-a-dialup-...

 

 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
239
adbgz
New Contributor II
In response to ozkanaltas

Created on ‎03-28-2024 07:59 AM Edited on ‎03-28-2024 08:08 AM

I think I'm going too fast, both tunnels are falling down when i applied dpd. That's what I was afraid of.

230
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.