Any way to have dial-up AND site-to-site VPN between same two locations?

Forum|Forum|6 years ago
April 1, 2020
2 replies
2256 views

Hey all, I've got a location with fortigate/ipsec site to site VPN; i.e. branch to HQ. There is a user on wifi at branch, where wifi only has internet access. Internet access from wifi leaves the local fortigate via the same interface the site to site vpn traffic uses, and that user would like to VPN to HQ.

Is there some combination of IPSec settings that will allow the site to site VPN and "dialup" users to connect to the same target Fortigate from the same source WAN IP? I've attempted aggressive mode IKEv1 with a variety of combinations of peertype any vs one, unspecified, and then either phase 1 local id set or not set, etc. but have not arrived at a combo that allows both to exist in harmony.

6.2

sw2090

SuperUser

you need to limit the dial up tunnel to a specific peer-id. Otherwise the FGT cannot determine the correct tunnel and gets messed up ;)

Works fine here this way.

Secretcodrin

Explorer II

That also doesn't work as expected.

I tried the following setup:
ipsec site-to-site with peerID1
ipsec dial-up with peerID2

The dialup connection arrived at the fortigate, tried to match on the site-to-site phase1 and got rejected due to wrong peerID (expected).

However, instead of trying the next set of configuration, it just tried again and again to match the site-to-site config and fail.

You do have the option for IKEv2 with network ID, however this was hard to implement in Forticlient VPN (and I failed every time).

One other option I found was ipsec over tcp encapsulation, I tried to implement it and it ends up in timeout from the client side whatever I tried. In this case I keep receiving FIN from the Fortigate when I send the IPSec info.

I am out of options as of now.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded