FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to make FortiGate allow multiple IPSec dial-up VPN connections coming from the same source IP address.
By default, FortiGate will delete the new routes after detecting twin connections. FortiGate can delete the existing route or can allow the new route, to notice FortiGate disconnect the existing connection and honor the new connection.
Solution Refer to the below IKE logs:
ike 0:VPN_2: twin connections detected ike 0:VPN_3: deleting ike 0:VPN_3: flushing ike 0:VPN_3: deleting IPsec SA with SPI fa0c6a20 ike 0:VPN_3:VPN: deleted IPsec SA with SPI fa0c6a20, SA count: 0 ike 0:VPN_3: sending SNMP tunnel DOWN trap for VPN ike 0:VPN_3:273041: disable proxy ARP for 10.10.1.232 on 22 ike 0:VPN_3:273041: del route 10.10.1.232/255.255.255.255 oif VPN_3(43) metric 15 priority 0 ike 0:VPN_3:VPN: delete
In the above example, notice FortiGate getting multiple connection request from same IP.
There are 3 options: Action for overlapping routes. - use-old: Use the old route and do not add the new route. - use-new: Delete the old route and add the new route. - allow: Allow overlapping routes.
This is CLI only configuration:
Phase 1 settings:
#config vpn ipsec phase1-interface edit <name> set net-device enable <----- end
Then in Phase 2 settings:
# config vpn ipsec phase2-interface edit <name> set route-overlap allow <----- end