Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ephemeric
New Contributor II

Cannot Add Subnet to Address Group

Hi,

I have configured a partially redundant IPsec VPN with two local links going to a single link, static IP server.

The two links are seen as dial-up on the remote FG.

I used the wizard to do all configs.

SDWAN is used to team the two WAN links.

I added via the CLI an interface monitor for the primary VPN tunnel so failover can happen.

 

Everything works as expected except for... on the dial-up side the wizard creates a remote address group for VPN subnets.

Try as I might, I cannot add another subnet as an address object into said group. The newly created address object is not shown in available addresses.

On the remote end I can add a subnet into the local address group for the VPN. Why does it work this side? Because it's the server and not dial-up or possibly the interface monitor has got something to do with it?

 

The only way for this to work on the dial-up side was to delete the config and use the wizard again and add all required subnets at config time so the group is created accordingly.

This doesn't help as I need to add and remove subnets as required.

The workaround in the meantime was to create another phase 2 SA with the required subnets which I don't want to do each time.

I'm stumped, lost an entire day trying to work this out.

Please can someone help me out of this mess?

I'm not sure what configs and how much to post will be happy to do so when instructed.

Thank you.

1 Solution
DangerZone

Man - this drove me insane too but I found a solution.

 

Under Policies & Objects -> Addresses

Clone one of the addresses created by the Wizard.

Rename and change the IPv4 address.

The new address will now be available within the group -> add address menu.

 

One thing I noticed that's different about the auto generated addresses is that "static route configuration" is enabled.

 

Enjoy :)

View solution in original post

7 REPLIES 7
hampy
New Contributor

Same issue here.

DangerZone

Man - this drove me insane too but I found a solution.

 

Under Policies & Objects -> Addresses

Clone one of the addresses created by the Wizard.

Rename and change the IPv4 address.

The new address will now be available within the group -> add address menu.

 

One thing I noticed that's different about the auto generated addresses is that "static route configuration" is enabled.

 

Enjoy :)

smcguire

Thanks!  Saved me a lot of time with this answer.

 

-Stephen

makco10

Hello,

 

Also you can enable via gui static route configuration.

 

Regards.

Defend Your Enterprise Network With Fortigate Next Generation Firewall
Defend Your Enterprise Network With Fortigate Next Generation Firewall
rc179
New Contributor

If an address object has an interface specified you won't be able to use it anywhere that the interface is different, or you have other objects in the group with a different interface, or no interface, defined. It's easier to just not define an interface on the address objects. I haven't found anywhere that this has a functional effect, so all it's doing is making the setup more difficult to do.

maisiba

Thanks! You saved me a lot of time.

romohite8

Thanks, but this doesn't seem to work in FortiManager. If i want to edit a local address group in vpn, i am not able to find that address group in FortiManager 

Labels
Top Kudoed Authors