FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff
Article Id 283504
Description This article describes issues with multiple dial-up IPsec VPNs on the HUB after upgrading to 7.0.13 or 7.2.6
Scope FortiGate.
Solution When having a FortiGate act as a HUB/Dialup Server with multiple spokes/dial-up clients and the clients have overlapping phase2 selectors, for example 0.0.0.0/0, it is possible to experience flapping issues. 

Currently, the solutions would be:
  1. Configure specific phase2 selectors to avoid subnet overlapping (avoid using 0.0.0.0/0 on all spokes/dial-up clients).

  2. If routing either static or dynamic is already in place, disable 'add-route' under phase1 configuration as by default it is enabled.

    config vpn ipsec phase1-interface
        edit <name of phase1>
            set add-route disable
    end

  3. Allow route-overlap under phase2 configuration on HUB/Dialup Server.

    config vpn ipsec phase2-interface
        edit <name of phase2>
            set route-overlap allow
    end


After performing these changes the issue should be resolved.

The changes in default behavior are outlined in the release notes of v7.2.6 and v7.0.13.

 

Related documents:

7.0.13 Release notes

7.2.6 Release notes