Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
That's what I did too. I've got two unique peer id for each tunnel setting.
If I put the same preshared key of tunnel 1 in tunnel 2, the connection works. But then tunnel 1 is used, however the peer id of tunnel 2 shows up in the IPsec Monitor.
So I'm still stuck with that. Sorry Toshi. Wanted to post that right after sw_2090's message. But was stopped some other stuff.
Hi
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
That's it, Pedro. You are absolutely right! Now both tunnels are accessible.
The only thing is, that for some reason we can't reach anything, neither in our LAN nor in the Internet. The IPv4 Policy is still the one that was created by the wizard and I don't see what could or should be different than the one for the split tunnel. But thanks anyway!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.