SOLVED: ipsec tunnel - dynamic ip - connection issues after ip-change


On my branch office I run a fortigate firewall. HQ runs Sophos UTM 9.6.
Branch office: dynamic ip, changes every 24hr
HQ: static IP

IPsec VPN is up and working fine until at the branch office there is a IP-change, what occours every 24hrs.

Then the tunnel is still up, but no traffic flows in any direction. 
My understand is that the tunnel should go down immediatelly, when there is the ip-change, and re-established immediatelly.

But obviously this is not the case.
After two hours the traffic is flowing again.

If I manually put the tunnel down/up on the branch office then traffic flows again immediatelly.

So how can I troubleshoot this?

  • Hi  

    Have you tried making Fortigate as the tunnel Initiator? Keep the IPsec connection on UTM 9 as Respond only and also try to enable DPD on the UTM and that should help to terminate IPsec tunnel with Old IP address. 

  • In reply to Jaydeep:


    This was my idea already too, but I was not true what it meant when the UTM said "The preshared key object requires text data for the preshared key attribute.". I didn't understand this message. 
    Ok, now I just reinserted my PSK and changed the VPN to "respond only" in the UTM. DPD was already active.

    The tunnel came up within a few minutes then after the IP change.

    Do you know how fast the DPD is supposed to find the dead peer? Shouldn't the tunnel be re-established with a fraction of a second?

    I am not sure how to verify the Fortigate device about in what mode it currently operates. I am discussing this now with Fortigate support as well.

    Thank for your help as always. Very appreciated !

  • In reply to GKR:


    DPD timeout is 120 seconds. So this tunnel should come up within 120 seconds after the IP change.

  • In reply to Jaydeep:

    Thank you for the clarificiation.

    it seems to work now this way. Thanks for helping

  • In reply to Jaydeep:

     is there any further tweaking reg. DPD that can be done?
    Is there a VPN-manual/documentation where I can read about all of this?

    In the Fortigate I can configure all of this:

    config vpn ipsec phase1-interface
        edit <Tunnel Name>
             set dpd [disable | on-idle | on-demand]
             set dpd-retryinveral 15
             set dpd-retrycount 3
    disable - Disable Dead Peer Detection.
    on-idle  - Trigger Dead Peer Detection when IPsec is idle.
    on-demand - Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

    I have it now set that way: retryinterval 2, retrycount 5. So after 10 seconds the FGT should detect the death peer after a ip-change.

    UTM should support it too...

  • In reply to GKR:


    Unfortunately, This option is not available in UTM. However, there is a feature request available here. Please vote for it if you would like this feature to be available in UTM.