Hi,

In order to run multiple ipsec dialup tunnels for dept/people/purposes, you would need to configure them as per https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPsec-dia...

To expand on the reply & documentation link by @funkylicious : 

With dialup tunnels it's often easy to create "overlap". An incoming connection is evaluated for a matching dialup/dynamic tunnel against the list of your existing phase1 configurations in their alphabetical order.

Assuming you use one WAN with one IP and use the same crypto settings (e.g. using a wizard), you are almost assured to have essentially identical tunnel settings, in which case the alphabetically ordered first tunnel will "win" the match.

There's many ways to disambiguate the two (or more) dialup tunnels:

- use different peer-ID (as the linked document says), available only with IKEv1 aggressive mode!

- serve each tunnel from a different IP

- use different network ID in phase1 (IKEv2; not for FortiClients, AFAIK)

- use different, non-overlapping, crypto settings for each tunnel (e.g. AES-CBC-128 for one, AES-GCM-128 for the second one, ...)

- use different IKE versions or modes for each (IKEv1 main, IKEv1 aggressive, IKEv2; that being said v2 has additional configurational consequences, so that may be too dramatic of a change for you if not ready to deal with it). 

Or simply use a single VPN tunnel/phase1, and differentiate access levels by user/group authorization in firewall policies.