FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Description
This article describes how to make FortiGate allow multiple IPSec dial-up VPN connections coming from the same source IP address.

By default, FortiGate will delete the new routes after detecting twin connections.
FortiGate can delete the existing route or can allow the new route, to notice FortiGate disconnect the existing connection and honor the new connection.


Solution
Refer to the below IKE logs:
ike 0:VPN_2: twin connections detected
ike 0:VPN_3: deleting
ike 0:VPN_3: flushing
ike 0:VPN_3: deleting IPsec SA with SPI fa0c6a20
ike 0:VPN_3:VPN: deleted IPsec SA with SPI fa0c6a20, SA count: 0
ike 0:VPN_3: sending SNMP tunnel DOWN trap for VPN
ike 0:VPN_3:273041: disable proxy ARP for 10.10.1.232 on 22
ike 0:VPN_3:273041: del route 10.10.1.232/255.255.255.255 oif VPN_3(43) metric 15 priority 0
ike 0:VPN_3:VPN: delete
In the above example, notice FortiGate getting multiple connection request from same IP.

There are 3 options:
Action for overlapping routes.
- use-old: Use the old route and do not add the new route.
- use-new: Delete the old route and add the new route.
- allow: Allow overlapping routes.

This is CLI only configuration:

Phase 1 settings:
#config vpn ipsec phase1-interface
    edit <name>
        set net-device enable   <-----
    end
Then in Phase 2 settings:
# config vpn ipsec phase2-interface
    edit <name>
        set route-overlap allow <-----
    end

Contributors