FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 198550

Description


This article describes how to configure FortiGate to allow multiple IPSec dial-up VPN connections from the same source IP address.

By default, FortiGate will delete the new routes after detecting twin connections. To work around this, FortiGate can delete the existing route or can allow the new route.

 

Scope

 

Any supported version of FortiGate.


Solution


Refer to the following IKE logs:

 

ike 0:VPN_2: twin connections detected
ike 0:VPN_3: deleting
ike 0:VPN_3: flushing
ike 0:VPN_3: deleting IPsec SA with SPI fa0c6a20
ike 0:VPN_3:VPN: deleted IPsec SA with SPI fa0c6a20, SA count: 0
ike 0:VPN_3: sending SNMP tunnel DOWN trap for VPN
ike 0:VPN_3:273041: disable proxy ARP for 10.10.1.232 on 22
ike 0:VPN_3:273041: del route 10.10.1.232/255.255.255.255 oif VPN_3(43) metric 15 priority 0
ike 0:VPN_3:VPN: delete

 

In the above example, note that FortiGate is receiving multiple connection requests from the same IP.

There are 3 options to work around this behaviour. Choose from one of the following actions for overlapping routes:
- use-old: Use the old route and do not add the new route.
- use-new: Delete the old route and add the new route.
- allow: Allow overlapping routes.

Configure the chosen action in the CLI:

Phase 1 settings:

 

#config vpn ipsec phase1-interface
    edit <name>
        set net-device enable   <-----
    end

 

Phase 2 settings:

 

# config vpn ipsec phase2-interface
    edit <name>
        set route-overlap allow <-----
    end

 

Multiple connections from the same remote IP are also possible with route-overlap use-new if clients use different ports to initiate connection as FortiGate will not consider these as twin connections.

 

This happens if customers use a private IP and the ISP is using NAT or any NAT device between port changes.

 

Example Ike debug:

 

ike 0: IKEv1 Aggressive, comes 213.157.28.115:57236->10.191.20.103 33
ike 0:Test FC VPN: created connection: 0x14eb4030 33 10.191.20.103->213.157.28.115:57236.
ike 0:Test FC VPN:5854107: remote port change 57236 -> 57250
ike 0:Test FC VPN: adding new dynamic tunnel for 213.157.28.115:57250
ike 0:Test FC VPN_1: added new dynamic tunnel for 213.157.28.115:57250
ike 0:Test FC VPN_0:5854107: received XAUTH_USER_NAME 'test1' length 8
ike 0:Test FC VPN_0:5854107: received XAUTH_USER_PASSWORD length 12
ike 0:Test FC VPN_0: XAUTH user "test1"
ike 0:Test FC VPN: auth group Test Remote
ike 0:Test FC VPN_0: XAUTH 1717211445 pending
ike 0:Test FC VPN_0:5854107: XAUTH 1717211445 result 0
ike 0:Test FC VPN_0: XAUTH succeeded for user "test1" group "Test Remote"

ike 0: IKEv1 Aggressive, comes 213.157.28.115:57266->10.191.20.103 33
ike 0:Test FC VPN: created connection: 0x14eb2c80 33 10.191.20.103->213.157.28.115:57266.
ike 0:Test FC VPN:5854126: remote port change 57266 -> 57315
ike 0:Test FC VPN: adding new dynamic tunnel for 213.157.28.115:57315
ike 0:Test FC VPN_1: added new dynamic tunnel for 213.157.28.115:57315
ike 0:Test FC VPN_1:5854126: received XAUTH_USER_NAME 'test2' length 8
ike 0:Test FC VPN_1:5854126: received XAUTH_USER_PASSWORD length 20
ike 0:Test FC VPN_1: XAUTH user "test2"
ike 0:Test FC VPN: auth group Test Remote
ike 0:Test FC VPN_1: XAUTH 1717211450 pending
ike 0:Test FC VPN_1:5854126: XAUTH 1717211450 result 0
ike 0:Test FC VPN_1: XAUTH succeeded for user "test2" group "Test Remote"