Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DarrBeau
New Contributor

Created on ‎02-22-2017 09:21 AM

Multiple VPN on external link

Hi,

I have a question about IPSec VPNs.
I have one IPSec VPN current up and running on my WAN interface. This VPN is Site-to-Site with a remote location.

I want to add an L2TP IPSec VPN for my teleworkers, so this would be a Dialup VPN. This also needs to be configured on the WAN Interface.

Will this conflict with the existing S2S VPN? I have read a lot of the manuals but am not finding a definite answer.
I know that the FortiGate 60D can house a lot of VPN entries, but I just need to confirmation that I won't kill
the current S2S VPN by creating a new one.

Thanks,

Darrell

Labels:
199
0 Kudos
2 REPLIES 2
mnantel_FTNT
Staff
Staff

Created on ‎02-22-2017 09:54 AM

Darrell,

As long as your site to site tunnel is of type "static", meaning that you have defined a remote IP for the other end of the tunnel then there wouldnt be any conflict as IKE would only select your site to site phase1 definition if the remote IP matches.

Your L2TP definition would be of type "dialup", in which case there is no remote IP defined in the phase1 - we dont know from what address users will connect _and_ there will be many connecting users. Dialup phase1 type acts as a "template" interface, allowing multiple connections as you would expect for dialup users. This is also used for connecting site to site with other devices, a topic you can find out more about in the VPN section of http://cookbook.fortinet.com. 

Thus in summary, you are OK to proceed in this case. A situation where you would have contentious selection of the proper tunnel definition is if you had multiple "dialup" type tunnel definitions. Without going into too much details on match criterias for these situations, you would use IKEv1 aggressive mode to route incoming connections in this case. Thats not always possible, but its one technique that works.

Hope this helps!

Mat

--

Mathieu Nantel

Principal Presales Security Expert

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

194
0 Kudos
DarrBeau
New Contributor
In response to mnantel_FTNT

Created on ‎02-22-2017 01:33 PM

Thanks Mathieu,

I'm going to setup the additional Dialup VPN along side the S2S VPN.
Thanks for your input!!

Best Regards,

Darrell

194
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.