| Description |
This article describes how to configure multiple site-to-site IPsec VPN tunnels between the same VPN gateways, ie, the same local and remote IP addresses.
FortiGate supports this requirement through the use of a Fortinet proprietary IKEv2 attribute called network-id, which allows multiple concurrent IPsec tunnels to coexist between identical peer IP addresses without conflict. |
| Scope | FortiGate v6.4, v7.2, v7.4, v7.6. |
| Solution |
In some deployment scenarios, administrators may need to establish multiple IPsec tunnels between the same pair of FortiGates using the same remote gateway IP addresses. This configuration can be useful for simplifying firewall policy design, traffic separation, or applying different security profiles per tunnel.
Sample topology:
Sample phase 1 configuration:This example uses hostnames for the tunnel configuration; however, IP addresses may also be used.
FortiGate-A:
config vpn ipsec phase1-interface edit "A-B_10" set type ddns set interface "wan1" set ike-version 2 set network-overlay enable set network-id 10 set remotegw-ddns "vpn2.example.com" next edit "A-B_20" set type ddns set interface "wan1" set ike-version 2 set network-overlay enable set network-id 20 set remotegw-ddns "vpn2.example.com" next end
FortiGate-B:
config vpn ipsec phase1-interface edit "B-A_10" set type ddns set interface "wan1" set ike-version 2 set network-overlay enable set network-id 10 set remotegw-ddns "vpn1.example.com" next edit "B-A_20" set type ddns set interface "wan1" set ike-version 2 set network-overlay enable set network-id 20 set remotegw-ddns "vpn1.example.com" next end
Duplicate IKEv1 site-to-site tunnels are not supported.
Related articles: Technical Tip: Use case of Network-IDs with ADVPN shortcut tunnels Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication |
