Fortigate Site2Site with MAX BR1 - IPSEC working only on WAN and not on 3G


#1

Hello,

I Have a weird problem.

I’ve configured our HQ Fortigate 600C v5.2.2 to do an IPSEC tunneling with PEPWAVE MAX BR1 located in one of our office branches.
my goal is to have IPSEC redundancy over 3G when the DSL is out.

when the 3G is connected, the IPSEC status on both ends indicates ESTABLISHED but no packets are passing (none showing in the fortigate logs).
i was sure i was having configuration issues with the fortigate until i connected an ethernet cable to the WAN Port of the BR1, suddenly all is well, packets are passing between the two networks.

i unplugged the ethernet, IPSEC status remains ESTABLISHED but no packets are traveling over the tunnel anymore, connecting the Ethernet, traffic resumes.

There is internet connectivity when the 3G and when the Ethernet is connected. both working fine, only the IPSEC is giving me problems.

BR1 Firmware: 6.1.2

Any suggestions? ?

Thx,
Nitzan.


#2

Hello,

Is this being run in Aggressive Mode or Main Mode?

Does either WAN (Ethernet or Cellular) have a static IP?


#3

Hi Jarid,

it’s being run in Aggressive mode.

Both internet connections (DSL and 3G) has dynamic IP.

the only static IP in this scenario is the Fortigate at the HQ.


#4

Hi,

What is the WAN Connection Priority (Network > IPsec VPN > Select IPsec VPN Profiles > WAN Connection Priority) settings on BR1?

How many IPsec profiles you have configured on Fortigate?


#5

Hi,

When the route 1st priority is set to WAN the Tunnel is UP and connected - working good.
when i set the 3G to be 1st priority the tunnel is up but packets do not flow.

regarding the fortigate ipsec profiles, i dont understand the question.


#6

Hi Nitzan,

Base on the explanation, you are currently integrating the advance IPSEC VPN settings (Failed Over/Redundancy) between Max Br1 & FortiGate.

There are 2 issue that need to be consider here:

  1. The reported issue may related to integration issue whereby the fail-over features for MAX Br1 may not able to be supported by FortiGate. As i have search around to verify whether what are the requires settings by the FortiGate in-order to achieve the fail-over but non of the VPN redundancy methods for FortiGate really discuss about this.

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-ipsec-40-mr3pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=2868720&stateId=0%200%2067508350 (Page 151)

  1. VPN traffics pass through issue for the subscribed 3G connections.
  • May i know without the VPN redundancy settings, will the IPSEC traffics work fine ?

In-order to further look at the issue, please open a support ticket here.


#7

Hi,

Thanks for the response.

The solution eventually was asking the 3G provider to cancel the NAT on the 3G APN.
when he did, the IPSec started to work as it should.

Thanks for the help.

Nitzan.