Interface Validation failure on zone used for IPSec VPN -- cannot update policy
I have a new FortiManager (5.4.4) and FortiGate (81E, 5.4.5) deployment. The 81E was configured before it was added to FortiManager, and it has an IPSec VPN tunnel to a Juniper SSG firewall at a remote site. The 81E added to FortiManager without error.
On the 81E, the tunnel interface ("vpn_to_aa") is mapped to a dedicated VPN zone ("vpn-s2s"), and is the only interface in that zone.
When I attempt to apply an updated policy from FortiManager, I receive an error that vpn-s2s is unmapped and that I need to select a device interface. Re-selecting the VPN tunnel interface causes the error to loop.
Specifically, when I apply the policy using the Install Wizard, I receive the error, "The following ADOM interfaces have no mapping. All ADOM interfaces should be mapped before continue with installation," and I am presented with a line listing the Device Name, the Unmapped Interface, and a drop-down list box to select the Device Interface. (See https://ibb.co/d7xOMG
Alternately, when I apply the policy using the "Re-install Policy" option, I receive a slightly different window / response. The first window states "Zone Validation Failed" and offers a button for "Details." Clicking the Details button presents a window titled Validation Details, with a line "Device Name / Unmapped Interface / Device Interface" identical to the Install Wizard method. (See https://ibb.co/dHb6ab
) This process eventually fails with Status "install and save finished status=FAILED," and the Install History reports "get-post-checksum fail." (See https://ibb.co/eCh7gG
) In fact, it removed the vpn-s2s policies from the firewall and may have changed some phase-two settings for the IPSec tunnel.
We're migrating from Juniper SSG firewalls, and our standard configuration with SSG is to bind the VPN tunnel interfaces to a single zone, which allows us to maintain multiple VPN tunnels with a single set of policies referencing the zone. I would like to use a similar configuration with FortiGate.
I would really like to manage everything through VPN Manager, but I'm having difficulty making that work-- I'll address it in a separate post. In the meantime, we have many Juniper SSG firewalls deployed that we need to work with, as we replace them.
Any tips or suggestions about how to get FortiManager to play nice with custom IPSec tunnels-- assuming that's possible?