Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

lestopace · ‎04-12-2022

Description

This article describes how to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Scope

FortiGate.

Solution

Problem :

BR-1 has HUB1-VPN1 and HUB1-VPN3 VPN tunnels that are pointing to the same ISP at the Hub. The same goes for Hub's VPN1 and VPN3 tunnels. Due to this, VPN3 at the Hub and HUB1-VPN3 at BR-1 are not coming up.

Solution :

Configure network-overlay on the VPN tunnels.

Hub:

config vpn ipsec phase1-interface
       edit "VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "VPN3"
          set network-overlay enable
          set network-id 3
       next
   end

BR-1:

config vpn ipsec phase1-interface
       edit "HUB1-VPN1"
         set network-overlay enable
         set network-id 1
       next
       edit "HUB1-VPN3"
         set network-overlay enable
         set network-id 3
       next
   end

Results :

Note:

While specifying peer and local IDs can be used to achieve the same results, Network Overlay and ID are required when configuring ADVPN with Multiple Hubs because a Hub fail-over may trigger the same shortcut between two Spokes.