Skip to main content
Lalaram
Lalaram
New Member
May 15, 2026
Question

Dialup vpn HUB's phase2 selector only psuhing tunnel ip instead of 0.0.0.0/0

  • May 15, 2026
  • 10 replies
  • 101 views

i have configured dialup vpn that phase2 selector i configured 0.0.0.0 both src and dst but when it push to spoke it choose only spoke’s tunnel ip only in dst instead of 0.0.0.0 and same is taking spoke src only tunnel ip and destination 0.0.0.0

what should i do so it can take 0.0.0.0 is src and dst

10 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 15, 2026

You’re mixing up two different types of IPsec VPNs.
Which is true: you have Dialup/Remote access IPsec VPN with FortiClient, or you have a HQ - Spoke site-to-site dialup IPsec?
If the former, the client side gets only 1 IP allocated and pushed from the FGT. But if the latter, both HQ side and spoke side have to have matching (mirror image) phase2 network selectors like 0/0<->0/0 configured manually to be used for IKE negotiation. It would never be pushed.

Toshi
 

Lalaram
LalaramAuthor
New Member
May 15, 2026

i have dialup ipsec site to site with mode config enabled 
when i turn off mode config bgp neighbourship break 

funkylicious
SuperUser
funkylicious
SuperUser
May 15, 2026

on the ipsec interface configure ip addr on the Hub for example 10.0.0.1/32 remote 10.0.0.254/24 and on the Spoke 10.0.0.2/32 remote 10.0.0.1/24 and the bgp neighbors should be 10.0.0.1 on the spoke and 10.0.0.2 on the hub . this should work

"jack of all trades, master of none"
Lalaram
LalaramAuthor
New Member
May 15, 2026

earlier it was 0.0.0.0 after changeing it to .254 i manualy down and up the tunnel but issue still persist

funkylicious
SuperUser
funkylicious
SuperUser
May 15, 2026

can you share a sanitized config of your phase1 on the hub and/or spoke ?

"jack of all trades, master of none"
Lalaram
LalaramAuthor
New Member
May 15, 2026

first 2 snap from hub and last 2 from spoke 

for understanding

 

funkylicious
SuperUser
funkylicious
SuperUser
May 15, 2026

show vpn ipsec phase1-interface - would be more helpful since some settings are visible only on the CLI

"jack of all trades, master of none"
Lalaram
LalaramAuthor
New Member
May 15, 2026

hub end

Lalaram
LalaramAuthor
New Member
May 15, 2026

HUB END

 

Lalaram
LalaramAuthor
New Member
May 15, 2026

 

 

funkylicious
SuperUser
funkylicious
SuperUser
May 15, 2026

I’m going to leave here a Hub and Spoke IPsec w/ ADVPN config that I used at my last project some while ago mentioning the fact that the Hub had dual ISP therefore you would see -ISP1 and -ISP2 in some parts of the config, please adapt it to your needs and see if it resolves your situation

HUB:

config vpn ipsec phase1-interface
edit "Hub-VPN-ISP1"
set type dynamic
set interface <>
set ike-version 2
set peertype any
set net-device disable
set proposal <>
set add-route disable
set dpd on-idle
set dhgrp 14
set auto-discovery-sender enable
set auto-discovery-forwarder enable
set network-overlay enable
set network-id 1
set psksecret <>
set dpd-retryinterval 20
set dpd-retrycount 3
next
end

config vpn ipsec phase2-interface
edit "Hub-VPN-ISP1-p2"
set phase1name "Hub-VPN-ISP1"
set proposal <>
set dhgrp 14
set replay disable
set keepalive enable
next
end

config system interface
edit "Hub-VPN-ISP1"
set vdom "root"
set ip 100.64.100.253 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 100.64.100.254 255.255.255.0
next
SPOKE:

config vpn ipsec phase1-interface
edit "to-Hub-ISP1"
set interface wan1
set ike-version 2
set peertype any
set net-device enable
set proposal <>
set add-route disable
set localid "Branch<>"
set dpd on-idle
set dhgrp 14
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id 1
set remote-gw <>
set dpd-retryinterval 20
set dpd-retrycount 3
set idle-timeout enable
set idle-timeoutinterval 5
set psksecret <>
next
end

config vpn ipsec phase2-interface
edit "to-Hub-ISP1-p2"
set phase1name "to-Hub-ISP1"
set proposal <>
set dhgrp 14
set replay disable
set auto-negotiate enable
next
end

config system interface
edit "to-Hub-ISP1"
set vdom "root"
set ip 100.64.100.<> 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 100.64.100.253 255.255.255.0
next
end

 

"jack of all trades, master of none"
msanjaypadma
Staff
msanjaypadma
Staff
May 15, 2026

Hi ​@Lalaram ,


Can you try to disable add-route under phase1 configuration ?
 

config vpn ipsec phase1-interface
edit Dialup-Jio
set add-route disable​​​​​​​
​​​​​​​end

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

 

Thanks,
​​​​​​​Mayur Padma

Thanks, Mayur Padma
Lalaram
LalaramAuthor
New Member
May 15, 2026

when i diable the add route bgp neighbourship went down

funkylicious
SuperUser
funkylicious
SuperUser
May 15, 2026

the BGP might go down, but do you have ping/reachability from the hub to the spoke via the IPsec interface IP when the add-route is disabled ? try to bounce/delete/flush the ipsec tunnel also.

also, firewall rules must be also be in place to permit traffic - try to capture traffic for TCP/179 where BGP is trying to form

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement