Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
Try this one:
https://kb.fortinet.com/kb/documentLink.do?externalID=10114
I think the KB is a little old. So the GUI menu might not match yours. I almost never use GUI to create IPSec so I don't now for sure, but I think it now show it as "Local ID" instead of "Peer ID" when you choose "Custom" in the wizard.
Then the client can choose which dialup Phase1-interface to connect to.
Thanks!
Sounds like a good idea. Thing is, that I can't find a way to have my FortiGate 60E (FortiOS 6.2.3) show the IKE and Peer Options part in the section "Authentication". Tried to enable the feature in System > Feature visibility by checking "Policy-based IPsec VPN". Do you have a hint how I can manage to use edit my VPN tunnels to use Peer IDs in the GUI of my FortiGate?
This is a part of regular interface-based IPsec's features. You don't have toenable policy-based IPsec in GUI visibility.
Once you choose "Custom" IPsec, then choose "Agressive" mode, the Peer Options config part should show up in your screen.
Ok, I see. So I converted the two tunnels to "custom" ones. Still have to sort out something, as connections are failing in phase 2. Just curious: I guess, the actual Peer ID can be anything, right? The just need to be different. I have tried "dialup1" and "dialup2" though...
The IDs themselves should be fine as long as you can configure them on the client side. The original dialup IPsec was working fine with one phase1-interface before, right? I would suggest going back to the original working set up, then take a config snapshot of phase1-interface and phase2-interface in CLI (config vpn ipsec phase1-interface/config vpn ipsec phase2-interface, then just "show"). Only thing should change is "set localid "dialupX"" in the phase1-interface config.
Hi,
I think this is the same config that I have. Each VPN tunnel needs a PeerID in the Authentication settings:
Accept types: Specific Peer ID
Peer ID: Whatever_name
Then on the Client side in the Phase 1 local ID for each Tunnel you want them to connect to you have to have the matching LocalID.
I created this with help from this forum https://forum.fortinet.com/tm.aspx?tree=true&m=184280&mpage=1 and I use it to segregate Corporate and BYOD computers.
I was thinking the article I referred to providing config to have a few dialup termination points on the FGT side and many clients can dialup to the same termination points. But I was wrong. Forticlient can be configured only with "local ID" not "peer/remote ID". So you need to create one phase1-interface config for each client, which is not going to scale.
If it's FGT to FGT dialup IPsec you should be able to do what I was thinking originally, or other vendor's FWs, which can specify peer ID. I'm not sure why we can't specify peer ID at the FortiClient.
As said, I have to VPN tunnel interfaces. Each with multiple users concurrent.
Just different PeerID.
Works perfectly. I have at least 40 Users over the 2 tunnels.
Wait, what was the problem then?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.