Description | This article explains how FortiOS manages route overlap (when two or more dialup clients advertised the same protected network/subnet to the HUB). |
Scope | FortiGate v7.0.2 and above. |
Solution |
FortiOS uses an add-route to announce the network has been encrypted by a spoke or dialup client to the HUB and eventually adds this route to the FortiGate FIB, this takes place during the dynamic tunnel negotiation.
If there is a network setup or design where the same subnet can be reached through two different phase1s, like the dual link or ECMP to the same network, this can be an issue in a dial-up VPN environment unless there is the right setting under VPN.
If not, only one of these two links (phase1s) will be installed at a time.
The configuring required is:
# config vpn ipsec phase2-interface edit name set route-overlap allow <----- The default is "use-new" end
With the above config, the same subnet can be learned and installed in FIB by IKE through different phase1s.
Here is the output:
10.10.10.0/24 via phase1_a via phase1_b
It is also possible to check with:
# diag vpn ike route list |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.