Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff

Created on ‎04-12-2022 07:49 AM Edited on ‎01-17-2025 01:38 AM By Community Manager

Article Id 208986

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP

Description This article describes how to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Scope FortiGate.
Solution

Problem:

BR-1 has HUB1-VPN1 and HUB1-VPN3 VPN tunnels that are pointing to the same ISP at the Hub. The same goes for Hub's VPN1 and VPN3 tunnels. Due to this, VPN3 at the Hub and HUB1-VPN3 at BR-1 are not coming up.

 

lestopace_0-1649588990628.png

 

lestopace_1-1649589142155.png

 

Solution:

Configure network-overlay on the VPN tunnels.

 

Hub:

 

config vpn ipsec phase1-interface
       edit "VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "VPN3"
          set network-overlay enable
          set network-id 3
       next
   end

 

BR-1:

 

config vpn ipsec phase1-interface
       edit "HUB1-VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "HUB1-VPN3"
         set network-overlay enable
         set network-id 3
       next
   end

 

Results:

 

lestopace_2-1649589440619.png

 

lestopace_0-1649858362849.png

 

Note

While specifying peer and local IDs can be used to achieve the same results, Network Overlay and ID are required when configuring ADVPN with Multiple Hubs because a Hub fail-over may trigger the same shortcut between two Spokes.

Related articles:

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Note: Dynamic routing (BGP) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: 'set net-device' new route-based IPsec logic

Technical Tip: Simple OCVPN deployment

Technical Tip: SD-WAN integration with OCVPN

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: SD-WAN with DDNS type IPsec

Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
Technical Tip: Use of PeerID and LocalID in IPsec VPN between two FortiGates
7782
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.