Technical Tip: Do not use the same subnet when using multiple IPsec Dial UP

Description

This article describes intermittency that could occur when using two Dial Up VPN with two ISPs.

Scope

FortiOS.

Solution

When configuring the Client Address Range in the VPN IPsec, if using two VPN IPsec dial-up, one for the ISP1 and the other for the ISP2, if the VPNs have the same Address Range, it could generate intermittency for some users.

This happen, due the FortiGate will assign the first IP on the range, then, if VPN 1 already has a user connected with IP 192.168.1.1 and a new user connects to VPN2, the FortiGate will assign the same IP, this will cause the other user to be disconnected, or one user will get no traffic, due the FortiGate will route the reply traffic to only one user.

IKE Debugs, show the following:

IKEv debug:

2026-04-27 06:31:28.908413 ike V=root:0:VPN-1-SUbnet1: adding new dynamic tunnel for <IP-Public_user2>:51739

2026-04-27 06:31:28.908451 ike V=root:0:VPN-1-SUbnet1_0: tunnel created tun_id 10.0.0.10/::10.0.0.8 remote_location 0.0.0.0

It adds the new user, assigns an IP to the user, and then deletes the tunnel for the other VPN.

2026-04-27 06:31:28.924364 ike V=root:0:vpn-test-222-_0: going to be deleted

2026-04-27 06:31:28.924469 ike V=root:0:vpn-test-222-_0: sent tunnel-down message to EMS:

A1ED422, intf=vpn-test-222-_0, addr=192.168.121.0, vdom=root)

Then it adds the new IP and route to the new user.

2026-04-27 06:31:28.924877 ike V=root:0:vpn-test-222-_0: mode-cfg release 192.168.121.0/255.255.255.255

2026-04-27 06:31:28.924893 ike V=root:0:vpn-test-222-_0: delete dynamic

2026-04-27 06:31:28.924972 ike V=root:0:VPN-1-SUbnet1:8: add route 192.168.121.0/255.255.255.255 gw 10.0.0.10 oif VPN-1-SUbn

et1(38) metric 15 priority 1

Solution: Use a different Subnet in the secondary VPN.