Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rvanefferen
New Contributor

Multiple IPSec tunnels to the same remote gateway ip

Hi,

 

2 of our customers need an IPsec tunnel to the same remote gateway ip of a 3rd party supplier from our datacenter/vpn firewall (FGT 200E - FortiOS 6.04)

 

But when I try to set this up, I get an error saying: Duplicate remote gateway ip

They cannot share the same IPsec tunnel, because of regulations, laws etc. So I really need to have 2 IPsec tunnels to the same remote gateway ip. 

 

Is there any way of making this possible on our FGT 200E?

 

 

9 REPLIES 9
martin28
New Contributor

Hello, You can do it but both VPNs have to have different interface bindings.

You cannot set 2 VPNs from the same interface to the same remote gateway. Either the remote gateway or the interface binding of the VPN has to be different between both VPNs.

 

Best regards.

rvanefferen

Hi,

 

I was afraid that would be the answer, than we'll have to think of an alternative plan. Probably using the 'old' VPN firewall. Not ideal, but at least it will give us some time to come up with a more permanent solution.

 

Thanks!

ede_pfau
Esteemed Contributor III

This is really the exemplary situation to employ VDOMs. Different customers get each a VDOM of their own (managed by you). Then you can create multiple tunnels to the same remote IP.

 

Of course, if the remote side is a FGT, you might see the same difficulty, as multiple tunnels are coming in from the same remote WAN IP. The easy way out is to use different WAN IP addresses (configured as secondary addresses). There is a setting in phase1 which you may set to a secondary address as the remote IP.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rvanefferen

Hi Ede,

Thanks for your reply, I understand you completely and that is something what is planned for the future. Each customer gets it's own VDOM and own public ip subnet. But at this moment it's something I cannot implement yet. The remote gateway is an CheckPoint device and not under our control. Also we don't have extra public IP available in that subnet.

ede_pfau
Esteemed Contributor III

With a Forti, there's always a solution...

 

Well, if you need two distinct paths but don't have resources...would your regulations be fulfilled if you put 2 VLANs across the same tunnel? It's almost secure...

What about dial-in VPNs? Once dialled in, it doesn't make any difference to the traffic. You would just need to differentiate the tunnels by multiple peer IDs (strings). Aren't 100 home workers building 100 tunnels to the same public IP?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rvanefferen
New Contributor

Well that's the thing with this setup. Would we do that we would not be in compliance with local and european regulations and maybe even more regulations. The traffic has to be strictly seperated from each other, so hence the two seperate IPSec tunnels. How the 3rd party which we are connecting to stays in compliance with regulations is from my (technical) point of view not important. Litte sidenote: it are companies that provide financial services, so very strictly regulated

 

But your first reply about the VDOMS is the best way for our environment and it will be implemented, I already made sure of that. The only question is when... 

dschout
New Contributor

For future reference, with more recent FortiOS versions I believe 6.4, you can now make use of the parameters: 

set network-overlay enable

set network-id 
This will allow multiple tunnel even when source interface/IP and destination gateway IP are the same. 

Mrinmoy
Staff
Staff
Labels
Top Kudoed Authors