The VPN tunnel between the FortiSASE spoke and the FortiGate hub is not establishing due to the configuration of mode config, which is not supported by FortiSASE spoke devices. Mode config is used to assign IP addresses to VPN clients dynamically, but this feature is not applicable to FortiSASE spokes.
Mode Config in IPsec:
The configuration snippet shows that mode config is enabled in the IPsec phase 1 settings.
Mode config is typically used for VPN clients to dynamically receive an IP address from the VPN server, but it is not suitable for site-to-site VPN configurations involving FortiSASE spokes.
Configuration Adjustment:
To establish the VPN tunnel, you need to disable mode config in the IPsec phase 1 settings.
This adjustment will allow the FortiSASE spoke to properly establish the VPN tunnel with the FortiGate hub.
Steps to Disable Mode Config:
Access the VPN configuration on the FortiSASE spoke.
Edit the IPsec phase 1 settings to disable mode config.
Ensure other settings such as pre-shared key, remote gateway, and BGP configurations are correct and consistent with the FortiGate hub.
[References:, FortiOS 7.6 Administration Guide: Provides details on configuring IPsec VPNs and mode config settings., FortiSASE 23.2 Documentation: Explains the supported configurations for FortiSASE spoke devices and VPN setups., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit