FortiOS uses an add-route to announce the network has been encrypted by a spoke or dialup client to the HUB and eventually adds this route to the FortiGate FIB, this takes place during the dynamic tunnel negotiation.
If there is a network setup or design where the same subnet can be reached through two different phase1s, like the dual link or ECMP to the same network, this can be an issue in a dial-up VPN environment unless there is the right setting under VPN.
If not, only one of these two links (phase1s) will be installed at a time.
The configuring required is:
# config vpn ipsec phase2-interface
set route-overlap allow <----- The default is "use-new"
With the above config, the same subnet can be learned and installed in FIB by IKE through different phase1s.
Here is the output:
10.10.10.0/24 via phase1_a
It is also possible to check with:
# diag vpn ike route list