This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOLVED: ipsec tunnel - dynamic ip - connection issues after ip-change

Hi,

On my branch office I run a fortigate firewall. HQ runs Sophos UTM 9.6.
Branch office: dynamic ip, changes every 24hr
HQ: static IP

IPsec VPN is up and working fine until at the branch office there is a IP-change, what occours every 24hrs.

Then the tunnel is still up, but no traffic flows in any direction. 
My understand is that the tunnel should go down immediatelly, when there is the ip-change, and re-established immediatelly.

But obviously this is not the case.
After two hours the traffic is flowing again.

If I manually put the tunnel down/up on the branch office then traffic flows again immediatelly.

So how can I troubleshoot this?



This thread was automatically locked due to age.
Parents
  • Hi  

    Have you tried making Fortigate as the tunnel Initiator? Keep the IPsec connection on UTM 9 as Respond only and also try to enable DPD on the UTM and that should help to terminate IPsec tunnel with Old IP address. 

    Regards

    Jaydeep

  • Hi   

    This was my idea already too, but I was not true what it meant when the UTM said "The preshared key object requires text data for the preshared key attribute.". I didn't understand this message. 
    Ok, now I just reinserted my PSK and changed the VPN to "respond only" in the UTM. DPD was already active.

    The tunnel came up within a few minutes then after the IP change.

    Do you know how fast the DPD is supposed to find the dead peer? Shouldn't the tunnel be re-established with a fraction of a second?

    I am not sure how to verify the Fortigate device about in what mode it currently operates. I am discussing this now with Fortigate support as well.

    Thank for your help as always. Very appreciated !

  • Hi  

    DPD timeout is 120 seconds. So this tunnel should come up within 120 seconds after the IP change.

    Regards

    Jaydeep

  • Thank you for the clarificiation.

    it seems to work now this way. Thanks for helping

Reply Children
No Data