Thanks again, Toshi

I did exactly what you proposed. I'm perfectly able to connect using my first tunnel. In the IPsec Monitor the PeerID shows up nicely. But the connection to my second tunnel still doesn't work. I'm getting "The preshared key is not correct". What happens is that not the second tunnel is tried to connect to, but the first. And as have chosen a different preshared key to tell them appart, the key obviously doesn't match. The cause is kind of a strict relation between the WAN1 interface and the first IPsec Tunnel, thus leading to the fact that no other IPsec Tunnel can claim to use WAN1. That's why using separate VDOMs would solve this. But I'm not giving up on finding the right solution without the work of setting up another VDOM.

So I'm wondering how Jan_1966 has found a way to have it work. Does he have two WAN connections, one for each tunnel?

you have to limit the 2nd tunnel to a specific peer id too. This is what Jan_1966 did.

Correct.

So I created 2 Remote Access VPN tunnels with the Wizard (different IP range), then in the Authentication section of each you define the PeerID that is accepted on this Tunnel. 

On the Client you define the local ID for the tunnel it needs to connect to. 

This way I segregated Corporate laptops from BYOD devices so they could use different Security policies and BYOD is using split tunneling, while the corporate all traffic is directed over the VPN tunnel.

In the Monitor I see generally about 8 Users on one tunnel and about 30 on the other.

Hope this helps.

Jan

Thanks Jan

I think I did the same. I started off with the wizard. Then added the localid using command line as Toshi had proposed. I paste my config here. Would you mind to compare this to yours or to post it here? I suppose you know how to use CLI to get the list.

gate (phase1-interface) # show config vpn ipsec phase1-interface     edit "access_dw"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 192.168.10.8         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "withdw"         set dpd on-idle         set comments "VPN: access_dw (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "dwi-VPN-access"         set ipv4-start-ip 172.16.10.20         set ipv4-end-ip 172.16.10.39         set ipv4-split-include "access_dw_split"         set save-password enable         set psksecret ENC [[my-secret-hash-1]]         set dpd-retryinterval 60     next     edit "through_dw"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 192.168.10.8         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "throughdw"         set dpd on-idle         set comments "VPN: through_dw (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "dwi-VPN-access"         set ipv4-start-ip 10.0.10.20         set ipv4-end-ip 10.0.10.39         set save-password enable         set psksecret ENC [[my-secret-hash-2]]         set dpd-retryinterval 60     next end

Hi,

I am not going to paste the whole configuration, but your configuration states PeerID Any. On the Fortigate side it's not the localID, but the Peer ID you need to change:

set peertype one

set peerid "Noncorporate"

It's in the Authentication section of the VPN tunnel

Accept type: Specific Peer ID

PeerID: "whatever the name is you accept on this tunnel"

Thanks Jan

With Pedros input I realised I had to change exaktly this using CLI. So

set peertype one set peerid "id-tunnel-1"

set localid "my-local-id" and

set peertype one set peerid "id-tunnel-2"

set localid "my-local-id"

for the other tunnel.

In FortiClient there's one confusing thing though. We had to insert the Peer ID of the selected tunnel in the field "Local ID" in order to have it work correctly.

Now everything's solved! Apart from an issue concerning macOS Catalina users (https://forum.fortinet.com/tm.aspx?m=179386), which I hope will be solved soon. For them we configured an SSL-VPN tunnel. Works for them as well as for iOS clients.

So thanks everybody contributing!

Have a good time and stay healthy

Itemanuel

As far as I am aware the Local ID you specify on the forticlient should be the Peer ID you specified on the fortigate, or at least that's how it works on the ones I have setup.

Run your "diag debug flow" and inspect the action after during the user(s) testing.

Ken Felix