Hello,
We currently use a single VPN to get into our office, this VPN is using a software switch as the interface.
However, I need to create another VPN for a separate purpose (because I need to provide another subnet range to these special VPN clients). I have tried creating another VPN and I have added the same software switch as the interface, but I am unable to connect to this VPN.
This software interface has 1 main gateway IP and 4 secondary external IP addresses.
How can I implement this second VPN?
Thanks
Solved! Go to Solution.
you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
FWIW the strongswan org website has working examples that you can mimic.
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples
But yes leftid would be your local-id/
Ken Felix
PCNSE
NSE
StrongSwan
Nevermind - I found the solution here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38084
Cheers!
you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090 wrote:Hey,you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.
Thanks for the response. I got this working when using Forticlient, but I need to connect using Strongswan - how do I specify this Local ID in my /etc/ipsec.conf ?
Cheers
ahh got it:
leftid = %<MY_ID>
FWIW the strongswan org website has working examples that you can mimic.
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples
But yes leftid would be your local-id/
Ken Felix
PCNSE
NSE
StrongSwan
I found a post from a 2020, where your comment was
"you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one.
I understand this post is 4 years ago and you probably sleep since then :) but I am trying to understand this statement of make your tunnel " identifyabl". This inquisition on my part is i had a user have two active tunnel connections and I wanted to identify who, what, why of this. I did not see this option on our Fortinet Firewall dashboard. Thank you for response. 
I think it refers to the LocalID / PeerID on the Client side, in the IPsec Tunnel configuration -> "Phase1 Proposal"
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.