Site to Site IPSec VPN - pfSense and Fortinet

timatlee

Hi

I'm having a heck of a time getting a site to site working between pfSense and a Fortinet host.

This had been working with an Edgerouter X (before it died), and as far as I can tell, the only side of the configuration that's changed is my own side.

The issue is that the Fortinet has 3 SAs in phase 2, which I understand is a bit weird and sub-optimal for IKEv2 (at least according to a Ubiquiti post I found).

I will sometimes get one, or two, or two tunnels for one remote subnet established. This usually holds for the 'Life Time' value of the tunnel, then stops working after the Life Time has expired. I'll need to restart the IPSec service repeatedly to get the service to establish the remote SA's.

I have enabled 'Split connections', based on notes in the documentation that this is sometimes required with some devices, Fortinet included. I was not successful at all without this option enabled.

I have tried changing the behaviour of the Child SA Close Action to no effect.

As far as I can tell, the various DH groups, algorithm's and key lengths are all the same between the two endpoints.

Any direction, help, references or suggestions are appreciated.

Thanks!

cswroe

@timatleeTry turning the PFS key group on P2 to off and see what happens. I have a couple of IPSec connections with Fortigates, 1 with 4 SA's but that one has PFS key group set to off. Unless I am mistaken, by default, the DH for P2 inherits the DH from P1 unless specified differently.
I also set my time lifetime 10% higher than the FortiGate, which seemed to help a lot.