Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eng
New Contributor II

Multiple IPSec tunnels on single interface

Hello,

 

We currently use a single VPN to get into our office, this VPN is using a software switch as the interface.

 

However, I need to create another VPN for a separate purpose (because I need to provide another subnet range to these special VPN clients). I have tried creating another VPN and I have added the same software switch as the interface, but I am unable to connect to this VPN.

 

This software interface has 1 main gateway IP and 4 secondary external IP addresses.

 

How can I implement this second VPN?

 

Thanks

 

 

2 Solutions
sw2090
Honored Contributor

you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

FWIW the strongswan org website has working examples that you can mimic.

 

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples

 

 

But yes leftid  would be your local-id/

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
eng
New Contributor II

Nevermind - I found the solution here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38084

 

Cheers!

sw2090
Honored Contributor

you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
eng
New Contributor II

sw2090 wrote:

you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

Hey, 

 

Thanks for the response. I got this working when using Forticlient, but I need to connect using Strongswan - how do I specify this Local ID in my /etc/ipsec.conf  ?

 

Cheers

eng
New Contributor II

ahh got it:

 

leftid = %<MY_ID>

emnoc
Esteemed Contributor III

FWIW the strongswan org website has working examples that you can mimic.

 

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples

 

 

But yes leftid  would be your local-id/

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
genetics

I found a post from a 2020, where your comment was 

"you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one.


I understand this post is 4 years ago and you probably sleep since then :) but I am trying to understand this statement of make your tunnel " identifyabl". This inquisition on my part is i had a user have two active tunnel connections and I wanted to identify who, what, why of this. I did not see this option on our Fortinet Firewall dashboard. Thank you for response. 

Max_H
New Contributor

I think it refers to the LocalID / PeerID on the Client side, in the IPsec Tunnel configuration -> "Phase1 Proposal" 

Labels
Top Kudoed Authors