Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kkeane
New Contributor

Two different IPSec VPNs to the same gateway?

Hi, I' m trying to set up two separate dial-up VPNs to a Fortigate, and am a little confused about how they are supposed to coexist. Maybe somebody could help me clear up the fuzziness in my mind? The first VPN is a gateway-to-gateway VPN, the second will be an L2TP VPN to support road warriors. I have been able to set up both VPNs successfully one at a time, but not make them coexist on the same Fortigate. The gateway-to-gateway VPN is a route-based VPN between two Fortigates, FG-A and FG-B. FG-A is in the central office with a static public IP. FG-B is in the remote office with a dynamic public IP. I am using the Fortigate factory certificates for authentication. The road-warrior VPN will go to FG-A. Following the IPSec documentation, I set it up as a policy-based VPN. When I try to connect to this VPN, Windows will display an error 789. Before I go into troubleshooting mode, I would like to understand more about what' s supposed to happen. When the dial-up client connects, how does the Fortigate determine which of the two VPNs to use? Thanks!
5 REPLIES 5
Dipen
New Contributor III

For Site to Site VPN do you consider using DynDNS for FGT-B so that you don' t need to configure Site to Site VPN on FGT-A as a dial-up. For Roadwarriors you can simply configure a FortiClient VPN which is IPSEC As well.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Dipen
New Contributor III

Moreover for Roadwarriors you can consider SSL-VPN [Tunnel Mode] any time.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
kkeane
New Contributor

I' m very reluctant to use DynDNS because this VPN is already in production; I don' t really want to touch it unless I have to. The VPN really needs to work with the native tools for Windows and iPad (meaning, L2TP). Forticlient - no thanks. I really like the quality of Fortigate in gneeral, but with Forticlient, they did a shoddy job; I wouldn' t impose that on my users unless I have to. The problem is that it can kill your user' s Windows computer with no easy recourse. The specific problem is that the included antivirus software is oblivious to already-installed AV software. If you have roadwarriors, you can either enable the Fortigate AV (and kill those who already have another Antivirus program), or disable it, and negate the whole point of protecting the endpoint (and you still risk accidentally turning on the AV).
Phill_Proud
New Contributor

I' m not sure really how to respond to you but if you want to PM me I can probably help. I have an L2TP dial-in VPN running side by side with a tunnel mode and an interface mode tunnel in the same VDOM.
Dipen
New Contributor III

There used to be a software called FortiClient Connect which used to Offer SSLVPN and IPSEC VPN Only ?

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Labels
Top Kudoed Authors