Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Two dialup VPN tunnels to use the same interfaces
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two dialup VPN tunnels to use the same interfaces
Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel
Solved! Go to Solution.
Labels:
- Labels:
-
6.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
22 REPLIES 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if above is the fact and can't change, only options for you would be:
1) have two different interfaces for two different dialup IPsec termination points (or separate vdoms, which would do similar)
or,
2) go to SSL VPN instead and separate user groups then set separate policies, or simply use "realm" to separate "portal" for each user group.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again, Toshi
I did exactly what you proposed. I'm perfectly able to connect using my first tunnel. In the IPsec Monitor the PeerID shows up nicely. But the connection to my second tunnel still doesn't work. I'm getting "The preshared key is not correct". What happens is that not the second tunnel is tried to connect to, but the first. And as have chosen a different preshared key to tell them appart, the key obviously doesn't match. The cause is kind of a strict relation between the WAN1 interface and the first IPsec Tunnel, thus leading to the fact that no other IPsec Tunnel can claim to use WAN1. That's why using separate VDOMs would solve this. But I'm not giving up on finding the right solution without the work of setting up another VDOM.
So I'm wondering how Jan_1966 has found a way to have it work. Does he have two WAN connections, one for each tunnel?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have to limit the 2nd tunnel to a specific peer id too. This is what Jan_1966 did.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct.
So I created 2 Remote Access VPN tunnels with the Wizard (different IP range), then in the Authentication section of each you define the PeerID that is accepted on this Tunnel.
On the Client you define the local ID for the tunnel it needs to connect to.
This way I segregated Corporate laptops from BYOD devices so they could use different Security policies and BYOD is using split tunneling, while the corporate all traffic is directed over the VPN tunnel.
In the Monitor I see generally about 8 Users on one tunnel and about 30 on the other.
Hope this helps.
Jan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Jan
I think I did the same. I started off with the wizard. Then added the localid using command line as Toshi had proposed. I paste my config here. Would you mind to compare this to yours or to post it here? I suppose you know how to use CLI to get the list.
gate (phase1-interface) # show config vpn ipsec phase1-interface edit "access_dw" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.10.8 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set localid "withdw" set dpd on-idle set comments "VPN: access_dw (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "dwi-VPN-access" set ipv4-start-ip 172.16.10.20 set ipv4-end-ip 172.16.10.39 set ipv4-split-include "access_dw_split" set save-password enable set psksecret ENC [[my-secret-hash-1]] set dpd-retryinterval 60 next edit "through_dw" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.10.8 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set localid "throughdw" set dpd on-idle set comments "VPN: through_dw (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "dwi-VPN-access" set ipv4-start-ip 10.0.10.20 set ipv4-end-ip 10.0.10.39 set save-password enable set psksecret ENC [[my-secret-hash-2]] set dpd-retryinterval 60 next end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not going to paste the whole configuration, but your configuration states PeerID Any. On the Fortigate side it's not the localID, but the Peer ID you need to change:
set peertype one
set peerid "Noncorporate"
It's in the Authentication section of the VPN tunnel
Accept type: Specific Peer ID
PeerID: "whatever the name is you accept on this tunnel"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Jan
With Pedros input I realised I had to change exaktly this using CLI. So
set peertype one set peerid "id-tunnel-1"
set localid "my-local-id" and
set peertype one set peerid "id-tunnel-2"
set localid "my-local-id"
for the other tunnel.
In FortiClient there's one confusing thing though. We had to insert the Peer ID of the selected tunnel in the field "Local ID" in order to have it work correctly.
Now everything's solved! Apart from an issue concerning macOS Catalina users (https://forum.fortinet.com/tm.aspx?m=179386), which I hope will be solved soon. For them we configured an SSL-VPN tunnel. Works for them as well as for iOS clients.
So thanks everybody contributing!
Have a good time and stay healthy
Itemanuel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I am aware the Local ID you specify on the forticlient should be the Peer ID you specified on the fortigate, or at least that's how it works on the ones I have setup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run your "diag debug flow" and inspect the action after during the user(s) testing.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, thanks. I didn't know the same "local ID" for a group of clients would connect to a single of dialup at the FGT with the same "peer ID". Then, you just need to have two setups in the same way w/ different local/peer IDs for two groups of clients.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,698 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.