FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 250588
Description This article explains how FortiOS manages route overlap (when two or more dialup clients advertised the same protected network/subnet to the HUB).
Scope FortiGate v7.0.2 and above.
Solution

FortiOS uses an add-route to announce the network has been encrypted by a spoke or dialup client to the HUB and eventually adds this route to the FortiGate FIB, this takes place during the dynamic tunnel negotiation.

 

If there is a network setup or design where the same subnet can be reached through two different phase1s, like the dual link or ECMP to the same network, this can be an issue in a dial-up VPN environment unless there is the right setting under VPN.

 

If not, only one of these two links (phase1s) will be installed at a time.

 

The configuring required is:

 

# config vpn ipsec phase2-interface

    edit name

        set route-overlap allow <----- The default is "use-new"

    end

 

With the above config, the same subnet can be learned and installed in FIB by IKE through different phase1s.

 

Here is the output:

 

10.10.10.0/24 via phase1_a

                       via phase1_b

 

It is also possible to check with:

 

#  diag vpn ike route list