FortiOS uses an add-route to announce the network has been encrypted by a spoke or dialup client to the HUB and eventually adds this route to the FortiGate FIB. This takes place during the dynamic tunnel negotiation.

If there is a network setup or design where the same subnet can be reached through two different phase1s, like the dual link or ECMP to the same network, this can be an issue in a dial-up VPN environment unless there is the right setting under VPN.

If not, only one of these two links (phase1s) will be installed at a time.

The configuration required is:

config vpn ipsec phase2-interface

    edit name

        set route-overlap allow <----- The default configuration is 'use-new'.

end

use-old    : Use the old route and do not add the new route.
use-new  : Delete the old route and add the new route.
allow    : Allow overlapping routes.

With the above config, the same subnet can be learned and installed in FIB by IKE through different phase1s.

Here is the output:

10.10.10.0/24 via phase1_a

              via phase1_b

It is also possible to check with:

diagnose vpn ike route list

When using ike debug, the following messages could be shown when the setting is configured as 'use-new', due to only the most recent VPN tunnel will be associated with the IKE route, while the old one will be deleted:

2025-04-30 19:17:25.719079 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: add dynamic IPsec SA selectors 283
2025-04-30 19:17:25.719090 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: added dynamic IPsec SA proxyids new 1 283

There is an old VPN tunnel called VPN-IEMX-PP2 associated with the route 10.97.58.0/24
After the new tunnel VPN-IEMX-PP1 is established, the route on the old tunnel is deleted, the tunnel is flushed, and the new route is associated with the new VPN tunnel.

Old VPN tunnel:

2025-04-30 19:17:25.719103 ike V=root:0:VPN-IEMX-PP2:2728: moving route 10.97.58.0/255.255.255.0 oif VPN-IEMX-PP2(49) metric 15 priority 1 to 0:VPN-IEMX-PP1:2733
2025-04-30 19:17:25.719109 ike V=VPN-IEMX-PP2:0:VPN-IEMX-PP2:2728: del route 10.97.58.0/255.255.255.0 tunnel 10.0.1.17 oif VPN-IEMX-PP2(49) metric 15 priority 1
2025-04-30 19:17:25.719237 ike V=root:0:VPN-IEMX-PP2_0: going to be deleted
2025-04-30 19:17:25.719266 ike V=root:0:VPN-IEMX-PP2_0: flushing
2025-04-30 19:17:25.719284 ike V=root:0:VPN-IEMX-PP2_0: deleting IPsec SA with SPI 657c0b84
2025-04-30 19:17:25.719344 ike V=root:0:VPN-IEMX-PP2_0: deleted IPsec SA with SPI 657c0b84, SA count: 0
2025-04-30 19:17:25.719352 ike V=root:0:VPN-IEMX-PP2_0: sending SNMP tunnel DOWN trap for VPN-IEMX-PP2
2025-04-30 19:17:25.719375 ike V=root:0:VPN-IEMX-PP2_0: delete
2025-04-30 19:17:25.719386 ike V=root:0:VPN-IEMX-PP2_0:10269: send IPsec SA delete, spi 58a8b838

New VPN tunnel:

Static route for network 10.97.58.0/24 is now installed on the new tunnel 'VPN-IEMX-PP1'.

2025-04-30 19:17:25.719565 ike V=root:0:VPN-IEMX-PP1:2733: add route 10.97.58.0/255.255.255.0 gw 287.201.181.202 oif VPN-IEMX-PP1(48) metric 15 priority 1
2025-04-30 19:17:25.719717 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: tunnel 4 of VDOM limit 0/0
2025-04-30 19:17:25.719726 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: add IPsec SA: SPIs=58a8b839/657c0b85
2025-04-30 19:17:25.719733 ike 0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: IPsec SA dec spi 58a8b839 key 24:D5546329BCCF0C00AA0428403F06DFB0CB4BD9BA0C45BE38 auth 32:8B
3986D8F62649AD532CE24C9B8251241CFE89B16B9FA9173AD82212D7FE6150
2025-04-30 19:17:25.719738 ike 0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: IPsec SA enc spi 657c0b85 key 24:9125C710800E50F761A72336B4A994235211523D00930D9F auth 32:90
7E709157A5C421A0930251DB05D50C04A79601C2B7A686B3C84BEBC7ECA5DC
2025-04-30 19:17:25.719756 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: added IPsec SA: SPIs=58a8b839/657c0b85
2025-04-30 19:17:25.719774 ike V=root:0:VPN-IEMX-PP1_1:10270:SPOKE-ZAC:2733: sending SNMP tunnel UP trap
2025-04-30 19:17:25.719783 ike V=root:0:VPN-IEMX-PP1_1: tunnel up event

The 'route-overlap allow' setting should be configured on both VPN tunnels. Otherwise, it is possible to get the following error when the new route is tried to be installed:

ike V=root:0:VPN-IEMX-PP2_0:10399:3082: added dynamic IPsec SA proxyids new 1 283
ike V=root:0:VPN-IEMX-PP2:3082: route configuration mismatch with VPN-IEMX-PP1 < ----
ike V=root:0:VPN-IEMX-PP2_0:10399:SPOKE-ZAC-2:3082: failed to add dynamc IPsec SA due to route clash < ----
ike V=root:Failed to add selectors

If the 'route-overlap allow' setting is configured on both VPN tunnels, and still the error 'route configuration mismatch with "VPN_name' is shown, it could be necessary to restart the VPN tunnels to apply this configuration properly.

Related articles: