VPN IPsec

Forum|Forum|3 months ago
March 5, 2026
3 replies
368 views

If i have ipsec tunnel for site to site connection listen on port1, then on same port i confgire ipsec tunnel for remote access then is there any miss connection?
I mean is there any wrong connection when Remote Access VPN want connect then the connection will passing thru the site to site tunnel and vice versa?

FortiGate

Best answer by GeorgeZhong

Hi @HS08 ,

We can have more than one IPsec tunnel configured on the same physical interface. But to avoid the incoming IKE request hitting wrong IPsec, it is necessary to use local-id and peer-id to distinguish:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Site-to-Site-IPsec-VPN-phase-1-not-forming/ta-p/383477

Regards,

George

AEK

SuperUser

You can configure as many s2s & dialup tunnels on the same interface without any issue.

AEK

GeorgeZhongAnswer

Staff & Editor

Hi @HS08 ,

We can have more than one IPsec tunnel configured on the same physical interface. But to avoid the incoming IKE request hitting wrong IPsec, it is necessary to use local-id and peer-id to distinguish:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Site-to-Site-IPsec-VPN-phase-1-not-forming/ta-p/383477

Regards,

George

HS08Author

Visitor III

yes implement local-id look good.

Toshi_Esumi

SuperUser

By the way, if the site-to-site IPsec is "static" and has the remote-gw or FQDN configured, it would NEVER terminate those remote access/dialup IPsec VPN because the identity of remote side doesn't match.
Only "dynamic" site-to-site IPsec VPN might try terminating those remote access VPNs and would drop.

Toshi

E

elburrito

New Member

If you are using the paid version of FortiClient you can enable network-id using overlay on the VPN, but that isn’t available on free client.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded