Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itemanuel
New Contributor

Two dialup VPN tunnels to use the same interfaces

Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel    

1 Solution
OrtegaPedro
New Contributor

Hi

 

To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).

In Forticlient VPN set the Local ID under Advanced Settings > Phase1

View solution in original post

22 REPLIES 22
Toshi_Esumi
Esteemed Contributor III

Try this one:

https://kb.fortinet.com/kb/documentLink.do?externalID=10114

I think the KB is a little old. So the GUI menu might not match yours. I almost never use GUI to create IPSec so I don't now for sure, but I think it now show it as "Local ID" instead of "Peer ID" when you choose "Custom" in the wizard.

Then the client can choose which dialup Phase1-interface to connect to.

itemanuel

Thanks!

Sounds like a good idea. Thing is, that I can't find a way to have my FortiGate 60E (FortiOS 6.2.3) show the IKE and Peer Options part in the section "Authentication". Tried to enable the feature in System > Feature visibility by checking "Policy-based IPsec VPN". Do you have a hint how I can manage to use edit my VPN tunnels to use Peer IDs in the GUI of my FortiGate?

Toshi_Esumi
Esteemed Contributor III

This is a part of regular interface-based IPsec's features. You don't have toenable policy-based IPsec in GUI visibility.

Once you choose "Custom" IPsec, then choose "Agressive" mode, the Peer Options config part should show up in your screen.

itemanuel

Ok, I see. So I converted the two tunnels to "custom" ones. Still have to sort out something, as connections are failing in phase 2. Just curious: I guess, the actual Peer ID can be anything, right? The just need to be different. I have tried "dialup1" and "dialup2" though...

Toshi_Esumi
Esteemed Contributor III

The IDs themselves should be fine as long as you can configure them on the client side. The original dialup IPsec was working fine with one phase1-interface before, right? I would suggest going back to the original working set up, then take a config snapshot of phase1-interface and phase2-interface in CLI (config vpn ipsec phase1-interface/config vpn ipsec phase2-interface, then just "show"). Only thing should change is "set localid "dialupX"" in the phase1-interface config.

Jan_1966

Hi,

I think this is the same config that I have. Each VPN tunnel needs a PeerID in the Authentication settings:

Accept types: Specific Peer ID

Peer ID: Whatever_name

 

Then on the Client side in the Phase 1 local ID for each Tunnel you want them to connect to you have to have the matching LocalID.

 

I created this with help from this forum https://forum.fortinet.com/tm.aspx?tree=true&m=184280&mpage=1 and I use it to segregate Corporate and BYOD computers. 

Toshi_Esumi
Esteemed Contributor III

I was thinking the article I referred to providing config to have a few dialup termination points on the FGT side and many clients can dialup to the same termination points. But I was wrong. Forticlient can be configured only with "local ID" not "peer/remote ID". So you need to create one phase1-interface config for each client, which is not going to scale.

If it's FGT to FGT dialup IPsec you should be able to do what I was thinking originally, or other vendor's FWs, which can specify peer ID. I'm not sure why we can't specify peer ID at the FortiClient.

Jan_1966

As said, I have to VPN tunnel interfaces. Each with multiple users concurrent.

Just different PeerID.

Works perfectly. I have at least 40 Users over the 2 tunnels. 

Toshi_Esumi
Esteemed Contributor III

Wait, what was the problem then?

 

 

Labels
Top Kudoed Authors