FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes issues with multiple dial-up IPsec VPNs on the HUB after upgrading to 7.0.13 or 7.2.6.
Scope
FortiGate.
Solution
When having a FortiGate act as a HUB/Dialup Server with multiple spokes/dial-up clients and the clients have overlapping phase2 selectors, for example 0.0.0.0/0, it is possible to experience flapping issues.
Currently, the solutions would be:
Configure specific phase2 selectors to avoid subnet overlapping (avoid using 0.0.0.0/0 on all spokes/dial-up clients).
If routing either static or dynamic is already in place, disable 'add-route' under phase1 configuration as by default it is enabled (on Spoke FortiGate).
config vpn ipsec phase1-interface edit <name of phase1> set add-route disable end
Allow route-overlap under phase2 configuration on HUB/Dialup Server.
config vpn ipsec phase2-interface edit <name of phase2> set route-overlap allow end
After performing these changes the issue should be resolved.
The changes in default behavior are outlined in the release notes of v7.2.6 and v7.0.13.
