FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Article Id 208986
Description This article describes how to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Scope FortiGate.
Solution

Problem:

 

BR-1 has HUB1-VPN1 and HUB1-VPN3 VPN tunnels that are pointing to the same ISP at the Hub. The same goes for Hub's VPN1 and VPN3 tunnels. Due to this, VPN3 at the Hub and HUB1-VPN3 at BR-1 are not coming up.

 

lestopace_0-1649588990628.png

 

lestopace_1-1649589142155.png

 

Solution :

 

Configure network-overlay on the VPN tunnels.

 

Hub:

 

config vpn ipsec phase1-interface
       edit "VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "VPN3"
          set network-overlay enable
          set network-id 3
       next
   end

 

BR-1:

 

config vpn ipsec phase1-interface
       edit "HUB1-VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "HUB1-VPN3"
         set network-overlay enable
         set network-id 3
       next
   end

 

Results :

 

lestopace_2-1649589440619.png

 

lestopace_0-1649858362849.png

 

Note: 

While specifying peer and local IDs can be used to achieve the same results, Network Overlay and ID are required when configuring ADVPN with Multiple Hubs because a Hub fail-over may trigger the same shortcut between two Spokes.

Related articles: