| Description |
This article describes how to configure more than one IPSec site-2-site VPN tunnel with the same set of IP pairs (same local-gw & remote-gw). |
| Scope | FortiGate v6.4, v7.2. |
| Solution |
Topology: 
Every IPSec site-2-site tunnel required a source and destination IP, this marks the beginning and the ending of the tunneling (packet protection: encryption/decryption and authentication), before and after the tunneling the packets are just plane or clear text packets.
This pair of IPs serves as the tunnel identification and therefore not possible, by default, to have more than one IPsec tunnel associated with a pair of IPs (one as the source and the other as the destination of the tunnel, depending on traffic direction). However, it is now possible to achieve multiple IPSec tunnels on FortiGate with the help of IKEv2 and additional capabilities introduced to FortiOS (network-overlay & network-id).
Configuration: The two tunnels used in this demonstration have the same remote-gw and local-gw (primary IP of port1 in this case), what FortiOS use to differentiate these two site-2-site VPN tunnels is the network-id (vpn Site100 = network-id 100 and vpn Site200 = network-id 200), remote IP or remote-gw is same.
# config vpn ipsec phase1-interface edit "Site100" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set network-overlay enable <----- set network-id 100 <----- set remote-gw 200.200.200.200 << same remote gateway as Site200 set psksecret xxxxxxx next edit "Site200" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set network-overlay enable<----- set network-id 200 <----- set remote-gw 200.200.200.200 <----- Same remote gateway as Site100. set psksecret xxxxxxx next end
Verification:
# diagnose vpn tunnel list and PING to IP addresses behind Site200 (2.2.2.2 & 2.2.2.22) showed this is working fine.
 |
