Hot!Multiple Diaul UP VPN issue (EVE)

Author
Isaacf
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 19:23:51
  • Status: offline
2019/08/24 09:35:34 (permalink)
0

Multiple Diaul UP VPN issue (EVE)

Hello Guys
 
I'm studiyng SDWAN feature with ADVPN, then I've decided to create a lab environment(My two vpn are inside of my SDWAN interface). My topology is so simple, I've attached it. The problem is, my two dialup vpn cannot up at same time, when VPN one is up, VPN two is down and vice versa, I don't understand what is going on. Could you help please?
 
BRANCH CONFIG
config vpn ipsec phase1-interface
edit "VPN_ALGAR"
set interface "WAN"
set ike-version 2
set peertype any
set proposal des-md5
set dpd on-idle
set remote-gw 200.0.0.6
set psksecret ENC pZ+gI7kUhapa3POJ59q6nAaNwn4smG1ycmlJfwkqb3lQ6YG6LvPRp5CbtznYsjFHYb6U2aQqIOtH1dL59OltvcMFoF4BVNZ+v9nywzsZu9ild4EooWV5CtK96X/asmgq2u0bmfijbWGa3sBsJKivhQA3vYDOVfBDlxcCWXei/qEC3A8cNwKnfb7eHEQajMbeXXMHpw==
next
edit "VPN_EBT"
set interface "WAN"
set ike-version 2
set peertype any
set proposal des-md5
set dpd on-idle
set remote-gw 200.0.0.14
set psksecret ENC 1mMxhtSfhKSJX3UBKTf+tIlXcpR5YSP+HhaEOJlInAZhk0l/sA7GCLMtSA6Evw6SQ7B0Q9lOV1PdqEjSdgW+J1ype+dcRcKtC9+Z2E+RgYIyGyqH9IK8F2PcVk8C8ziKPreHZC8DkOjlp1EZEUK/uGM7LMopuDqXPciMPmG6a+9JUbODYI2GBGt7qIZGmZc+f/zdsg==
next
end
##############################################################################
config vpn ipsec phase2-interface
edit "VPN_ALGAR"
set phase1name "VPN_ALGAR"
set proposal des-md5 des-sha1
set pfs disable
set replay disable
set src-addr-type name
set dst-addr-type name
set src-name "LANALGAR"
set dst-name "REMOTE_NETWORK_ALGAR"
next
edit "VPN_EBT"
set phase1name "VPN_EBT"
set proposal des-md5 des-sha1
set pfs disable
set replay disable
set src-addr-type name
set dst-addr-type name
set src-name "LANEBT"
set dst-name "REMOTE_NETWORK_EBT"
next
##############################################################################
config firewall address
edit "none"
set uuid ff30dbf6-b980-51e9-dafb-6667cea66a3a
set subnet 0.0.0.0 255.255.255.255
next
edit "all"
set uuid fff3af28-b980-51e9-1ca4-d28501acc916
next
edit "FIREWALL_AUTH_PORTAL_ADDRESS"
set uuid fff56908-b980-51e9-9abb-21043e651abc
set visibility disable
next
edit "SSLVPN_TUNNEL_ADDR1"
set uuid 00005246-b981-51e9-e6ba-c6b358a99ce5
set type iprange
set associated-interface "ssl.root"
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
edit "PC_ISAAC"
set uuid f6963762-b989-51e9-b9ec-a09e82ddd04e
set allow-routing enable
set subnet 192.168.100.100 255.255.255.255
next
edit "WAN_SOURCE"
set uuid e7b16dec-b9f8-51e9-d0fc-f40e3e4a331e
set associated-interface "port1"
set allow-routing enable
set subnet 192.168.0.20 255.255.255.255
next
edit "CLASSE_A"
set uuid b1ceebf0-c600-51e9-6c59-1d1936f394ff
set subnet 10.0.0.0 255.0.0.0
next
edit "CLASSE_B"
set uuid c6a89daa-c600-51e9-ebcf-cc36d5282730
set subnet 172.16.0.0 255.255.240.0
next
edit "CLASSE_C"
set uuid ce9025c4-c600-51e9-0048-198bb91fa788
set subnet 192.168.0.0 255.255.0.0
next
edit "IBM_LAN"
set uuid e06d8674-c600-51e9-56be-0dcb06199601
set subnet 192.168.50.0 255.255.255.0
next
edit "TUNNELALGARSOURCE"
set uuid 32f0ae8a-c610-51e9-2088-b68be9662779
set subnet 172.30.251.100 255.255.255.255
next
edit "TUNNELEBTSOURCE"
set uuid 6c9144e8-c61e-51e9-b512-115608a23bbc
set subnet 172.30.250.100 255.255.255.255
next
edit "TUNNELALGARDESTINATION"
set uuid 6a40c518-c620-51e9-5685-ba8654637036
set subnet 172.30.251.1 255.255.255.255
next
edit "TUNNELTEBTDESTINATION"
set uuid 7bd30a48-c620-51e9-0ca3-866f3721e53e
set subnet 172.30.250.1 255.255.255.255
next
end
#############################################################################
 
DC
 
config vpn ipsec phase1-interface
edit "DIAL-WAN1-ALG"
set type dynamic
set interface "WAN1-ALGAR"
set ike-version 2
set peertype any
set proposal des-md5
set dpd on-idle
set net-device enable
set psksecret ENC /oRA7THgwjcuy2vwUynxnm3d4qahRjcF4WOJwFzBYD96cus2DWaAufMkFLGc1ibiqiU+yksDg2PwG3rYoIc5q3L1X3/trXv/JdQBBUHD9QFc3OOnlR+R2mE5R2KpgYj/N0zbuvzXsWHE7psGQIjI1NJwVxF4wQlF6lN55aIWkUT3yKdvRQ9jT0mVRe9xkqCWz2lomA==
set dpd-retryinterval 60
next
edit "DIAL-WAN2-EBT"
set type dynamic
set interface "WAN2-EBT"
set ike-version 2
set peertype any
set proposal des-md5
set dpd on-idle
set net-device enable
set psksecret ENC Uqpu0giK0gzeqq/BawChsc75QxurKTTy1OTaVsEbDYz3OfAXmSMAlGSKJJg8yUB3q/SGpDb6ywrvx6gXxiFBXY7ANc70UNBMN/A/yHnAYQyfvi46PkjRLfeiqPs3puOQOULP6cSYokS34o7hGwT4KfWCwi2aty7BadzA0fNEpkgJdwEzbQrpyG+98rTbQ7u3dFQx/A==
set dpd-retryinterval 60
next
end
#############################################################################
config vpn ipsec phase2-interface
edit "WAN1-ALGAR"
set phase1name "DIAL-WAN1-ALG"
set proposal des-md5
set pfs disable
set replay disable
next
edit "DIAL-WAN2-EBT"
set phase1name "DIAL-WAN2-EBT"
set proposal des-md5
set pfs disable
set replay disable
next
end
###########################################################################
 
Thank you so much, feel free to ask any logs.
post edited by Admin_FTNT - 2019/09/10 23:33:12
#1

2 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6046
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Multiple Diaul UP VPN issue(EVE) 2019/08/25 03:56:41 (permalink)
    0
    Dial-In VPNs to the same remote (WAN) address or subnet need to have an additional tag or token so that the remote end can differentiate between them.
    This is called 'peer ID' in FortiOS.
    In the simplest case, this can be a string in phase1, like 'siteA', 'siteB'. On the receiving side, do not 'allow any peerID' but build one phase1 for each peer ID ('accept one peerID').
    This stuff is laid out in the Handbook.
    post edited by Admin_FTNT - 2019/09/10 23:33:26

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Isaacf
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/12 19:23:51
    • Status: offline
    Re: Multiple Diaul UP VPN issue (EVE) 2019/09/05 10:53:06 (permalink)
    0
    Hello ede thanks for your advice, but what I had to configure was "set device-enable" and "set allow-routing overlap", I haven't been any problem after that.
    post edited by Admin_FTNT - 2019/09/10 23:33:40
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5