Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itemanuel
New Contributor

Two dialup VPN tunnels to use the same interfaces

Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel    

1 Solution
OrtegaPedro
New Contributor

Hi

 

To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).

In Forticlient VPN set the Local ID under Advanced Settings > Phase1

View solution in original post

22 REPLIES 22
Toshi_Esumi

So if above is the fact and can't change, only options for you would be:

1) have two different interfaces for two different dialup IPsec termination points (or separate vdoms, which would do similar)

or,

2) go to SSL VPN instead and separate user groups then set separate policies, or simply use "realm" to separate "portal" for each user group.

itemanuel

Thanks again, Toshi

I did exactly what you proposed. I'm perfectly able to connect using my first tunnel. In the IPsec Monitor the PeerID shows up nicely. But the connection to my second tunnel still doesn't work. I'm getting "The preshared key is not correct". What happens is that not the second tunnel is tried to connect to, but the first. And as have chosen a different preshared key to tell them appart, the key obviously doesn't match. The cause is kind of a strict relation between the WAN1 interface and the first IPsec Tunnel, thus leading to the fact that no other IPsec Tunnel can claim to use WAN1. That's why using separate VDOMs would solve this. But I'm not giving up on finding the right solution without the work of setting up another VDOM.

 

So I'm wondering how Jan_1966 has found a way to have it work. Does he have two WAN connections, one for each tunnel?

sw2090

you have to limit the 2nd tunnel to a specific peer id too. This is what Jan_1966 did.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Jan_1966

Correct.

 

So I created 2 Remote Access VPN tunnels with the Wizard (different IP range), then in the Authentication section of each you define the PeerID that is accepted on this Tunnel. 

On the Client you define the local ID for the tunnel it needs to connect to. 

This way I segregated Corporate laptops from BYOD devices so they could use different Security policies and BYOD is using split tunneling, while the corporate all traffic is directed over the VPN tunnel.

 

In the Monitor I see generally about 8 Users on one tunnel and about 30 on the other.

 

Hope this helps.

 

Jan

itemanuel

Thanks Jan

I think I did the same. I started off with the wizard. Then added the localid using command line as Toshi had proposed. I paste my config here. Would you mind to compare this to yours or to post it here? I suppose you know how to use CLI to get the list.

 

gate (phase1-interface) # show config vpn ipsec phase1-interface     edit "access_dw"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 192.168.10.8         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "withdw"         set dpd on-idle         set comments "VPN: access_dw (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "dwi-VPN-access"         set ipv4-start-ip 172.16.10.20         set ipv4-end-ip 172.16.10.39         set ipv4-split-include "access_dw_split"         set save-password enable         set psksecret ENC [[my-secret-hash-1]]         set dpd-retryinterval 60     next     edit "through_dw"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 192.168.10.8         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "throughdw"         set dpd on-idle         set comments "VPN: through_dw (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "dwi-VPN-access"         set ipv4-start-ip 10.0.10.20         set ipv4-end-ip 10.0.10.39         set save-password enable         set psksecret ENC [[my-secret-hash-2]]         set dpd-retryinterval 60     next end

Jan_1966

Hi,

 

I am not going to paste the whole configuration, but your configuration states PeerID Any. On the Fortigate side it's not the localID, but the Peer ID you need to change:

 

set peertype one

set peerid "Noncorporate"

 

It's in the Authentication section of the VPN tunnel

Accept type: Specific Peer ID

PeerID: "whatever the name is you accept on this tunnel"

 

itemanuel

Thanks Jan

With Pedros input I realised I had to change exaktly this using CLI. So

set peertype one set peerid "id-tunnel-1"

set localid "my-local-id" and

set peertype one set peerid "id-tunnel-2"

set localid "my-local-id"

for the other tunnel.

In FortiClient there's one confusing thing though. We had to insert the Peer ID of the selected tunnel in the field "Local ID" in order to have it work correctly.

Now everything's solved! Apart from an issue concerning macOS Catalina users (https://forum.fortinet.com/tm.aspx?m=179386), which I hope will be solved soon. For them we configured an SSL-VPN tunnel. Works for them as well as for iOS clients.

 

So thanks everybody contributing!

Have a good time and stay healthy

 

Itemanuel

ShawnZA

As far as I am aware the Local ID you specify on the forticlient should be the Peer ID you specified on the fortigate, or at least that's how it works on the ones I have setup.

emnoc
Esteemed Contributor III

Run your "diag debug flow" and inspect the action after during the user(s) testing.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
SuperUser
SuperUser

Ok, thanks. I didn't know the same "local ID" for a group of clients would connect to a single of dialup at the FGT with the same "peer ID". Then, you just need to have two setups in the same way w/ different local/peer IDs for two groups of clients.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors