| Description |
This article describes how to configure more than one IPSec site-2-site VPN tunnel with the same set of IP pairs (same local-gw & remote-gw). |
| Scope | FortiGate v6.4, v7.2. |
| Solution |
Topology: 
Every IPSec site-2-site tunnel required a source and destination IP, this marks the beginning and the ending of the tunneling (packet protection: encryption/decryption and authentication), before and after the tunneling the packets are just plane or clear text packets.
This pair of IPs serves as the tunnel identification and therefore not possible, by default, to have more than one IPsec tunnel associated with a pair of IPs (one as the source and the other as the destination of the tunnel, depending on traffic direction). However, it is now possible to achieve multiple IPSec tunnels on FortiGate with the help of IKEv2 and additional capabilities introduced to FortiOS (network-overlay & network-id).
Configuration: The two tunnels used in this demonstration have the same remote-gw and local-gw (primary IP of port1 in this case), what FortiOS use to differentiate these two site-2-site VPN tunnels is the network-id (vpn Site100 = network-id 100 and vpn Site200 = network-id 200), remote IP or remote-gw is same.
# config vpn ipsec phase1-interface edit "Site100" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set network-overlay enable <----- set network-id 100 <----- set remote-gw 200.200.200.200 << same remote gateway as Site200 set psksecret xxxxxxx next edit "Site200" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set network-overlay enable<----- set network-id 200 <----- set remote-gw 200.200.200.200 <----- Same remote gateway as Site100. set psksecret xxxxxxx next end
Verification:
# diagnose vpn tunnel list and PING to IP addresses behind Site200 (2.2.2.2 & 2.2.2.22) showed this is working fine.
 |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: How to establish more than one IPse...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.