Skip to main content
itemanuel
itemanuel
New Member
March 31, 2020
Solved

Two dialup VPN tunnels to use the same interfaces

  • March 31, 2020
  • 5 replies
  • 64315 views

Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel    

Best answer by OrtegaPedro

Hi

 

To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).

In Forticlient VPN set the Local ID under Advanced Settings > Phase1

5 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 31, 2020

Try this one:

https://kb.fortinet.com/kb/documentLink.do?externalID=10114

I think the KB is a little old. So the GUI menu might not match yours. I almost never use GUI to create IPSec so I don't now for sure, but I think it now show it as "Local ID" instead of "Peer ID" when you choose "Custom" in the wizard.

Then the client can choose which dialup Phase1-interface to connect to.

itemanuel
itemanuelAuthor
New Member
April 1, 2020

Thanks!

Sounds like a good idea. Thing is, that I can't find a way to have my FortiGate 60E (FortiOS 6.2.3) show the IKE and Peer Options part in the section "Authentication". Tried to enable the feature in System > Feature visibility by checking "Policy-based IPsec VPN". Do you have a hint how I can manage to use edit my VPN tunnels to use Peer IDs in the GUI of my FortiGate?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 1, 2020

This is a part of regular interface-based IPsec's features. You don't have toenable policy-based IPsec in GUI visibility.

Once you choose "Custom" IPsec, then choose "Agressive" mode, the Peer Options config part should show up in your screen.

itemanuel
itemanuelAuthor
New Member
April 1, 2020

Ok, I see. So I converted the two tunnels to "custom" ones. Still have to sort out something, as connections are failing in phase 2. Just curious: I guess, the actual Peer ID can be anything, right? The just need to be different. I have tried "dialup1" and "dialup2" though...

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 1, 2020

The IDs themselves should be fine as long as you can configure them on the client side. The original dialup IPsec was working fine with one phase1-interface before, right? I would suggest going back to the original working set up, then take a config snapshot of phase1-interface and phase2-interface in CLI (config vpn ipsec phase1-interface/config vpn ipsec phase2-interface, then just "show"). Only thing should change is "set localid "dialupX"" in the phase1-interface config.

Jan_1966
Jan_1966
New Member
April 1, 2020

Hi,

I think this is the same config that I have. Each VPN tunnel needs a PeerID in the Authentication settings:

Accept types: Specific Peer ID

Peer ID: Whatever_name

 

Then on the Client side in the Phase 1 local ID for each Tunnel you want them to connect to you have to have the matching LocalID.

 

I created this with help from this forum https://forum.fortinet.com/tm.aspx?tree=true&m=184280&mpage=1 and I use it to segregate Corporate and BYOD computers. 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 1, 2020

I was thinking the article I referred to providing config to have a few dialup termination points on the FGT side and many clients can dialup to the same termination points. But I was wrong. Forticlient can be configured only with "local ID" not "peer/remote ID". So you need to create one phase1-interface config for each client, which is not going to scale.

If it's FGT to FGT dialup IPsec you should be able to do what I was thinking originally, or other vendor's FWs, which can specify peer ID. I'm not sure why we can't specify peer ID at the FortiClient.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 2, 2020

Ok, thanks. I didn't know the same "local ID" for a group of clients would connect to a single of dialup at the FGT with the same "peer ID". Then, you just need to have two setups in the same way w/ different local/peer IDs for two groups of clients.

itemanuel
itemanuelAuthor
New Member
April 2, 2020

That's what I did too. I've got two unique peer id for each tunnel setting.

If I put the same preshared key of tunnel 1 in tunnel 2, the connection works. But then tunnel 1 is used, however the peer id of tunnel 2 shows up in the IPsec Monitor.

 

So I'm still stuck with that. Sorry Toshi. Wanted to post that right after sw_2090's message. But was stopped some other stuff.

OrtegaPedro
OrtegaPedroAnswer
New Member
April 3, 2020

Hi

 

To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).

In Forticlient VPN set the Local ID under Advanced Settings > Phase1

    itemanuel
    itemanuelAuthor
    New Member
    April 3, 2020

    That's it, Pedro. You are absolutely right! Now both tunnels are accessible.

    The only thing is, that for some reason we can't reach anything, neither in our LAN nor in the Internet. The IPv4 Policy is still the one that was created by the wizard and I don't see what could or should be different than the one for the split tunnel. But thanks anyway!

    Terms & ConditionsAccessibility statement