- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Two Dialup VPN actives
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two Dialup VPN actives
Hello,
On my Branch office I need stablish two active Dialup VPN with my HQ.
On my HQ I have two ISPs Internet links and at the my BR only one.
At the Fortigate on BR I have set Two Dialup client to ISP1 and ISP2 for HQ.
My problem is never two tunnels is UP at the same time, when one come up other to Down.
I wonder if is possible to keep active the two tunnels Dialup at the same time on client side.
follow the configuration on two box, version is 6.0.9. please disregard psk and peerid
#HQ VPN Dialup server Config config vpn ipsec phase1-interface edit "Dialup-MGT" set type dynamic set interface "INTERNET-MGT" set mode aggressive set peertype one set mode-cfg enable set proposal 3des-md5 aes128-md5 set dpd disable set nattraversal disable set peerid "c.c.c.c" set assign-ip disable set psksecret fffff next edit "Dialup-EQX" set type dynamic set interface "INTERNET-EQX" set local-gw t.t.t.t set mode aggressive set peertype one set mode-cfg enable set proposal 3des-md5 aes128-md5 set dpd disable set nattraversal disable set peerid "ffff" set assign-ip disable set psksecret next end
#HQ VPN Dialup server Config phase 2
config vpn ipsec phase2-interface edit "Dialup-ph2" set phase1name "Dialup-MGT" set proposal 3des-md5 aes128-md5 set src-addr-type name set dst-addr-type name set src-name "all" set dst-name "all" next edit "Dialup-ph2-eqx" set phase1name "Dialup-EQX" set proposal 3des-md5 aes128-md5 set src-addr-type name set dst-addr-type name set src-name "all" set dst-name "all" next end
#BR VPN Config phase 1
config vpn ipsec phase1-interface edit "Dialup-ctl" set interface "INTERNET" set local-gw x.x.x.x set mode aggressive set peertype any set mode-cfg enable set proposal 3des-md5 aes128-md5 set localid "h.h.h.h" set dpd disable set nattraversal disable set remote-gw y.y.y.y set assign-ip disable set psksecret hhhhh next edit "Dialup-eqx" set interface "INTERNET" set mode aggressive set peertype any set mode-cfg enable set proposal 3des-md5 aes128-md5 set localid "g.g.g.g" set dpd disable set nattraversal disable set remote-gw t.t.t.t (DIFFERENT FROM Dialup-ctl ) set assign-ip disable set psksecret bbbbb next end
#BR VPN CONFIG PHASE2
config vpn ipsec phase2-interface edit "dialup-ph2-ctl" set phase1name "Dialup-ctl" set proposal 3des-md5 aes128-md5 next edit "dialup-ph2-eqx" set phase1name "Dialup-eqx" set proposal 3des-md5 aes128-md5 next end
Solved! Go to Solution.
Labels:
- Labels:
-
6.0
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your goal with those two parallel VPNs? Failover or load-balance?
The direct problem is you're trying to bring up two [network selectors: 0/0<->0/0] IPsec vpns. It's not allowed (or possible) without "set add-route disable" in phase1 config. That's it would be dropped when the second tunnel comes up.
Depending on the goal and the version of FortiOS, how to accomplish routing through two (or one at a time) would be different in addition to "net-device enable/disable" setting with phase1-int config.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your goal with those two parallel VPNs? Failover or load-balance?
The direct problem is you're trying to bring up two [network selectors: 0/0<->0/0] IPsec vpns. It's not allowed (or possible) without "set add-route disable" in phase1 config. That's it would be dropped when the second tunnel comes up.
Depending on the goal and the version of FortiOS, how to accomplish routing through two (or one at a time) would be different in addition to "net-device enable/disable" setting with phase1-int config.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, my goal is load balance with SD-WAN, after that two VPNs Dialup come up at the same time they go are under SD-WAN Interface so Fortigate will do load balance Traffic regard SLA.
maybe you wonder yourself why I don´t use Site-to-Site IPsec, it´s the issue, I can´t because I have 140 Branch with 3 Links each so I overcome interfaces member under SD-WAN ( 256 is the limit ) and my target is load balance with SD-WAN.
I will do more some test and report here.
Thanks, with you have any other idea or doc about SD-WAN with Dialup VPN please post here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN shouldn't care the type of circuits in the members (at least its design). If you are running 6.2.x, "IPsec aggregate" is the easiest load-balancing method between two tunnels. Still need to bring up two tunnels though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I did some test trying come up two Dialup tunnel as explained before.
After some changes on my configurations now it´s possible to connect two Dialup at the same time.
But when one come down my BGP routing stop and the failover doesen´t work.
My target is overcome the sd-wan limit from 256 interfaces, so I´m trying figure out with Dialup VPNs.
On my real environment I Have 140 Spoke each one with 4 tunnels VPNs to hub so I need overcome this limit interface under sd-wan on hub, this my issue, I should like use sd-wan on all spoke as well as on my Hub. I´m think use Dialup to overcome this limit but with you have other idea please post here.
in attached there is a image from my environment test and follow the main configurations on hub and spoke.
Please ,again, with you have other idea to overcome of the limit members interface under sd-wan post here.
#VPN DIALUP CONFIGURATION HUB SIDE
config vpn ipsec phase1-interface edit "DialEQX" set type dynamic set interface "INTERNET-EQX" set peertype any set net-device disable set exchange-interface-ip enable set proposal 3des-md5 aes128-md5 set add-route disable set dpd on-idle set tunnel-search nexthop set psksecret ccccccc set dpd-retrycount 2 set dpd-retryinterval 2 next edit "DialMGT" set type dynamic set interface "INTERNET-MGT" set peertype any set net-device disable set exchange-interface-ip enable set proposal 3des-md5 aes128-md5 set add-route disable set dpd on-idle set tunnel-search nexthop set psksecret ddddddd set dpd-retrycount 2 set dpd-retryinterval 2 next end
#PHASE2 INTERFACE ON HUB
config vpn ipsec phase2-interface edit "Dialph2Eqx" set phase1name "DialEQX" set proposal 3des-md5 aes128-md5 next edit "Dialph2Mgt" set phase1name "DialMGT" set proposal 3des-md5 aes128-md5 next end
#STATIC ROUTER ON HUB FOR ACHIEVE SPOKE SIDE BY DIALUP INTERFACES edit 12 set dst 10.231.0.1 255.255.255.255 set device "DialEQX" next edit 13 set dst 10.231.2.1 255.255.255.255 set device "DialMGT" next
# INTERFACE DIAL UP ON HUB SIDE, SET IP ADDRESS
edit "DialEQX" set vdom "root" set ip 10.231.0.254 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.231.0.1 255.255.254.0 set snmp-index 38 set interface "INTERNET-EQX" next edit "DialMGT" set vdom "root" set ip 10.231.2.254 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.231.2.1 255.255.254.0 set snmp-index 39 set interface "INTERNET-MGT" next
# BGP ON HUB SIDE
config router bgp set as 64500 set router-id 10.100.100.1 set keepalive-timer 5 set holdtime-timer 15 set ibgp-multipath enable set graceful-restart enable config neighbor-group edit "VPN-PEERS" set soft-reconfiguration enable set remote-as 64500 set route-map-in "Set-Ingress-Route-Tag" set route-map-out "Set-Main-Site-Community" set keep-alive-timer 5 set holdtime-timer 15 set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.231.0.0 255.255.0.0 set neighbor-group "VPN-PEERS" next end config network edit 1 set prefix 10.255.1.0 255.255.255.240 next edit 2 set prefix 10.2.0.0 255.255.0.0 next edit 3 set prefix 10.4.0.0 255.255.0.0 next edit 4 set prefix 192.168.99.0 255.255.255.0 next end config redistribute "connected" end config redistribute "rip" end config redistribute "ospf" end config redistribute "static" end config redistribute "isis" end config redistribute6 "connected" end config redistribute6 "rip" end config redistribute6 "ospf" end config redistribute6 "static" end config redistribute6 "isis" end end
#VPN PHASE1 FROM SPOKE SIDE
config vpn ipsec phase1-interface edit "Dialeqx" set interface "INTERNET" set local-gw Spoke-isp1_ip_x set peertype any set exchange-interface-ip enable set proposal 3des-md5 aes128-md5 set dpd on-idle set nattraversal disable set remote-gw INTERNET-EQX set psksecret XXXXXX set dpd-retrycount 2 next edit "Dialmgt" set interface "INTERNET" set peertype any set exchange-interface-ip enable set proposal 3des-md5 aes128-md5 set dpd on-idle set nattraversal disable set remote-gw INTERNET-MGT set psksecret xxxxxxxx next end
# PHASE2 SPOKE SIDE
config vpn ipsec phase2-interface edit "Dialph2eqx" set phase1name "Dialeqx" set proposal 3des-md5 aes128-md5 set auto-negotiate enable next edit "Dialph2mgt" set phase1name "Dialmgt" set proposal 3des-md5 aes128-md5 set auto-negotiate enable next end
##INTERFACES DIALUP ON SPOKE SIDE, SET IP
edit "Dialeqx" set vdom "root" set ip 10.231.0.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.231.0.254 255.255.254.0 set role wan set snmp-index 34 set interface "INTERNET" next edit "Dialmgt" set vdom "root" set ip 10.231.2.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.231.2.254 255.255.254.0 set role wan set snmp-index 35 set interface "INTERNET" next end
#STATIC ROUTER ON SPOKE FOR ACHIEVE HUB SIDE BY DIALUP INTERFACES edit 153 set dst 10.231.0.254 255.255.255.255 set device "Dialeqx" next edit 155 set dst 10.231.2.254 255.255.255.255 set device "Dialmgt"
# BGP ON SPOKE SIDE
config router bgp set as 64500 set router-id 10.1.1.1 set keepalive-timer 5 set holdtime-timer 15 set ibgp-multipath enable set graceful-restart enable config neighbor edit "10.231.0.254" set soft-reconfiguration enable set remote-as 64500 set route-map-in "Set-Ingress-Route-Tag" set route-map-out "Bad-Connection" next edit "10.231.2.254" set soft-reconfiguration enable set remote-as 64500 set route-map-in "Set-Ingress-Route-Tag" set route-map-out "Bad-Connection" next end config network edit 1 set prefix 10.11.0.0 255.255.254.0 next end config redistribute "connected" end config redistribute "rip" end config redistribute "ospf" end config redistribute "static" end config redistribute "isis" end config redistribute6 "connected" end config redistribute6 "rip" end config redistribute6 "ospf" end config redistribute6 "static" end config redistribute6 "isis" end end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
6.2.x improved SD-WAN as well as bug fixes. But still some issues reported on the forum. So I know you want to stay with 6.0.9. I wasn't aware that the "max members" in SD-WAN were 256.
I would wait until 6.2.4 comes out then at that time consider upgrading all of them after a small scale test. Then use IPsec aggregate to bind multiple IPsecs per remote location. That would eliminate the necessity you have now for both SD-WAN and BGP per location for this particular purpose.
For the current BGP set up, you seem to be using iBGP for all remote (ASN=64500). If you do that, remote A's routes are not advertised into remote B via HUB. But again, all this complex wouldn't be necessary with IPsec aggregate. BGP would be useful in case you have multiple HUBs or additional remote-to-remote VPNs to get to HUB and fail it over. By nature BGP doesn't have "tie", and always pick the best route. I'm not sure if it applies to Fortinet's BGP implementation. But to load balance, OSFP or something else would be necessary.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, member aggregation it´s not supported with Dialup VPN
I think ospf it´s supported for sd-wan on 6.2 version.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand the reasoning "...tend to have different locations and hence different routing." Are you kidding? If they're terminated by the same FGT on both ends, it shouldn't be a problem. You might want to open a case with TAC to clarify why it's not allowed with dialup/dynamic vpns.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you Toshi for yours repley.
yes I have only a FGT100F on my DC ( which is the Hub ) and many ( 140 FGT 60D/E ) spread on my country which are the spokes.
Currently I´m doing test with sd-wan on test environment so after I will apply on production environment.
Related Posts
- Issues with activating proxy mode in... 75 Views
- How to activate port 80 in... 316 Views
- HOB/SPOKES : VPN Dial-UP issue when... 288 Views
- IPSec Dialup after update Win11 not... 267 Views
- HA led active on standalone... 150 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.