By Manny Fernandez

April 25, 2020

IPSec Remote Access VPN Naming Limitations on FortiGate

There is a 15 character limit on the interface names in FortiOS.  When using IPSec for remote access VPNs, it is important to take this into account.

2020-04-25_16-17-22

As you can see in the screenshot above, anything that goes above 15 characters will error out.

When you create a remote-access VPN using IPSec, the FortiGate will generate an interface for each remote access VPN based on the name of the VPN.

2020-04-25_14-35-50

As you can see above, there is a name section.  This will be the base for the interface name.  Here  is the formula

                                       15 (Max Characters)    X  =  Y

Where X is the number of  characters the name is and Y is the number of place holders you are left with.  If I base the number of my IPSec VPNs on my lab FortiGate 300E which supports 50,000 VPNs, the longer the name I give, the less amount of VPNs I can create.

2020-04-25_15-27-34

 

If I name the VPN, lets say VPN1, the FortiGate will create a VPN1_1 interface for the first VPN tunnel, then VPN1_2 for the second, and so on.  This means that you are limited in the number of VPNs based on the number of characters it will be permitted to add to the interface before it hits its 15 character limitation.

I will now show you with longer names and the effect it will have on the total number of VPNs.

10 Characters

2020-04-25_15-00-01

With 10 Characters you will have

15 (max char) – 10 (num of char used) = 5  (That will leave you 5 place holders for the number of VPNs 1,0000 )

11 Characters

2020-04-25_15-00-16

With 11 Characters you will have the following.  Notice that one more character was used in the name which removes one place value for the number of VPNs

15 (max char) – 11 (num of char used) = 4  (That will leave you 4 place holders for the number of VPNs 1,000 )

12 Characters

2020-04-25_15-00-29

With 12 Characters you will have the following.  Notice that one more character was used in the name which removes one place value for the number of VPNs

15 (max char) – 12 (num of char used) = 3  (That will leave you 3 place holders for the number of VPNs 100 )

13 Characters

2020-04-25_15-00-42

With 13 Characters you will have the following.  Notice that one more character was used in the name which removes one place value for the number of VPNs

15 (max char) – 13 (num of char used) = 2  (That will leave you 2 place holders for the number of VPNs 10 )

The point is, try to keep this name at a minimum  to get the most amount of IPSec Remote Access VPNs.

Hope this helps

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story