Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lucas_p
New Contributor

Created on ‎09-04-2025 07:34 AM

IPsec - 52 / 5 000 adding a new VPN causes the previous one to not work

Hello 

 

 
I'm having trouble configuring an IPsec VPN. I configure one IPSec VPN and everything works fine. Clients connect and everything works fine. When I add another VPN, the previous one stops working. Below is the configuration of the first working VPN:
 

image.png

 

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

image.png

 
 

image.png

 
I'm adding a second VPN

 

 

image.png

image.png

 

 

image.png

After adding a second VPN, "VPN_Gamma," the first one stopped working. Only after disabling the vpn_VPN_Gamma_remote policy did the first VPN start working again. What could be causing this?

Labels:
89
0 Kudos
2 Solutions
pminarik
Staff
Staff

Created on ‎09-09-2025 02:55 AM

Incoming connection attempts are matched to local tunnel phase1 configurations based on:

  • destination IP (IP of the interface the tunnel is bound to, or the manually set IP)
  • remote peer's IP (site-to-site tunnels only)
  • IKE version + mode (main/aggressive, IKEv1 only)
  • crypto settings (encryption~AES/etc, hash~SHA256/etc, DH group)
  • authentication (PSK, certificate, EAP)
  • certificate details (if certs are used)
  • peer ID (for v1 aggressive mode, or v2)

If the configurations overlap and an incoming connection can match multiple phase1 definitions, the first one sorted alphabetically always wins.

Given that the tunnel named "VPN_Sigma_BR" stops working when you create a tunnel named "Anko", I would say that this is a very strong indicator that their configs overlap, and thus the alphabetically first tunnel wins.

 

We don't see the full configuration to judge this with 100% certainty, but given the observed behaviour + the fact that both were initially created using the same wizard, this is almost certainly the case.

 

You will need to review the phase1 settings and decide on what you can and want to change to distinguish the tunnels. You have various options such as using different local IPs for each tunnel (if you have multiple IPs available), or using different interfaces, or using different and non-overlapping crypto settings (e.g. AES256-SHA256 for one tunnel and AES256-SHA384 for the other), using different peer IDs for each tunnel, etc.

[ corrections always welcome ]

View solution in original post

34
lucas_p
New Contributor
In response to pminarik

Created on ‎09-09-2025 03:13 AM

 
Thanks for the reply. I was wondering what the overlap was. I thought that different Pre-shared Keys
 
image.png
and Client Address Ranges
image.png
were enough to distinguish VPN connections. I generated the configuration for these VPNs differently using PerrID, and that helped.
 
image.png

View solution in original post

27
2 REPLIES 2
pminarik
Staff
Staff

Created on ‎09-09-2025 02:55 AM

Incoming connection attempts are matched to local tunnel phase1 configurations based on:

  • destination IP (IP of the interface the tunnel is bound to, or the manually set IP)
  • remote peer's IP (site-to-site tunnels only)
  • IKE version + mode (main/aggressive, IKEv1 only)
  • crypto settings (encryption~AES/etc, hash~SHA256/etc, DH group)
  • authentication (PSK, certificate, EAP)
  • certificate details (if certs are used)
  • peer ID (for v1 aggressive mode, or v2)

If the configurations overlap and an incoming connection can match multiple phase1 definitions, the first one sorted alphabetically always wins.

Given that the tunnel named "VPN_Sigma_BR" stops working when you create a tunnel named "Anko", I would say that this is a very strong indicator that their configs overlap, and thus the alphabetically first tunnel wins.

 

We don't see the full configuration to judge this with 100% certainty, but given the observed behaviour + the fact that both were initially created using the same wizard, this is almost certainly the case.

 

You will need to review the phase1 settings and decide on what you can and want to change to distinguish the tunnels. You have various options such as using different local IPs for each tunnel (if you have multiple IPs available), or using different interfaces, or using different and non-overlapping crypto settings (e.g. AES256-SHA256 for one tunnel and AES256-SHA384 for the other), using different peer IDs for each tunnel, etc.

[ corrections always welcome ]
35
lucas_p
New Contributor
In response to pminarik

Created on ‎09-09-2025 03:13 AM

 
Thanks for the reply. I was wondering what the overlap was. I thought that different Pre-shared Keys
 
image.png
and Client Address Ranges
image.png
were enough to distinguish VPN connections. I generated the configuration for these VPNs differently using PerrID, and that helped.
 
image.png
28
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.