Thursday, September 11, 2008

VPN GUI Bug in MR5 and MR6

A GUI bug exists in MR5 and MR6 when configuring IPSEC VPNs. This has been confirmed in MR5 Patch 4 and MR6 Patch 2 and may exist in other versions.

The following will cause you to lose any Phase 2 Security Associations configured under the corresponding Phase 1:

-Phase 1 configured using routed (interface) mode
-Any number of phase 2 SAs
-The VPN is assigned to a zone under System -> Network -> Zone

When you attempt to rename the phase 1 object you receive an error message "Object in Use". This message indicates that the VPN is in use by a zone which is normal. When returning to the VPN configuration screen at VPN -> IPSEC -> Auto Key (IKE) all your phase 2 SAs have been lost completely. They are also erased from the system configuration and cannot be recovered without a backup of the configuration.

** Update **

This was bug 68864 and has been resolved in FortiOS 3.0 MR7 Build 726.

1 comment:

Adrian said...

Try deleting a VPN interface from the zone and watch all the existing tunnels fail. Not replicated it in the lab yet but one client has about 40 tunnels in a zone and you just can't add or delete from the zone without losing every other tunnel. Config isn't lost but you need to kill the ike demon from the CLI or reboot to get the tunnels back again.

I think that QA need to do a bit more testing of VPN interfaces in zones!