Multiple IPSec tunnels on single interface

eng · ‎05-27-2020

Hello,

We currently use a single VPN to get into our office, this VPN is using a software switch as the interface.

However, I need to create another VPN for a separate purpose (because I need to provide another subnet range to these special VPN clients). I have tried creating another VPN and I have added the same software switch as the interface, but I am unable to connect to this VPN.

This software interface has 1 main gateway IP and 4 secondary external IP addresses.

How can I implement this second VPN?

Thanks

sw2090 · ‎05-28-2020

you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

emnoc · ‎05-29-2020

FWIW the strongswan org website has working examples that you can mimic.

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples

But yes leftid would be your local-id/

Ken Felix

PCNSE

NSE

StrongSwan

View solution in original post

eng · ‎05-27-2020

Nevermind - I found the solution here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38084

Cheers!

sw2090 · ‎05-28-2020

you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

eng · ‎05-29-2020

sw2090 wrote:
you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one. If they have the same remote gw on one side you need to set peer-ids to make them unique.

Hey,

Thanks for the response. I got this working when using Forticlient, but I need to connect using Strongswan - how do I specify this Local ID in my /etc/ipsec.conf ?

Cheers

eng · ‎05-29-2020

ahh got it:

leftid = %<MY_ID>

emnoc · ‎05-29-2020

FWIW the strongswan org website has working examples that you can mimic.

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples

But yes leftid would be your local-id/

Ken Felix

PCNSE

NSE

StrongSwan

genetics · ‎01-25-2024

I found a post from a 2020, where your comment was

"you need to make your tunnels identifyabl. If they are not the FGt uses the first tunnel that matches proposals and that may be the wrong one.

I understand this post is 4 years ago and you probably sleep since then :) but I am trying to understand this statement of make your tunnel " identifyabl". This inquisition on my part is i had a user have two active tunnel connections and I wanted to identify who, what, why of this. I did not see this option on our Fortinet Firewall dashboard. Thank you for response.

Max_H · ‎02-22-2024

I think it refers to the LocalID / PeerID on the Client side, in the IPsec Tunnel configuration -> "Phase1 Proposal"

Multiple IPSec tunnels on single interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website