Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Antoine
New Contributor II

Sharing site-2-site with dialup server on same interface?

I am very short on public IPs, and I would like to have my Fortigate to service IPsec clients (using a variety of clients) while at the same time using the same public IPv4 to keep running the site-2-site tunnel with a remote branch office (with a 2nd Fortigate there).

Is it even possible, or am I asking too much? 

4 REPLIES 4
emnoc
Esteemed Contributor III

No that is doable. You can bound multuiple ipsec tunnels to the same wan interface and address. You might have to use peerid to distinguish peers for s2s tunnels.

 

e.g

fqdn

string

email

certificate DN

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Antoine
New Contributor II

Thanks for your answer.

I understand the idea of using peerid to multiplex an IPsec service; although I am under the impression it restricts to IKE v1 and aggressive mode (please, please correct me where I am wrong).

 

However, I would like to confirm you can mix on the same interface, s2s tunnels (using "set type static" in phase1-interface) with dialup answering services ("set type dynamic"); your post seems to mean the former can be multiplexed, but I am interested to use the latter as well.

sw2090

I have dial up ipsec tunnels (mostly ike1, aggressive mode, split tunneling) and also s2s tunnels on the same interface without any problems.

Like emnoc wrote you might have to use peerids or unique pairs of proposals to have the FGT assign the correct tunnels. It won't mix up dial up and s2s anyways because s2s does not support dial up so you cannot want to dial into a s2s ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

No Aggression mode does not need peerid (aka  groups ) but yes you can mix and match static and dialup to the same interface. So you do not have any worries in that area. You can also run IKEv1 v2 versions on the same interfaces.

 

Your only limit on how many tunnels on one interface is outline in the fortios max values . Outside of that, your good to go.

 

You can reference max value via your fortios version

 

https://docs.fortinet.com/document/fortigate/6.2.0/fortios-maximum-values-table

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors