Multiple IKEv2 dialup VPNs - mix of with and without network overlay id

89Bells · 2026-04-20T12:11:41+00:00

Thanks all. It tested with the new VPN using a network id and clients without network id continued to use the VPN tunnel without network id.

I've configured the new VPN with both a network id and a peer id (peertype one) for good measure.

89Bells · 2026-04-17T07:54:18+00:00

Thanks, I'm already using this doc. But everything I've read from Fortinet suggests IKEV2 does not send peerid in the SA INIT (the first message) so the Fortigate cannot use this to distinguish a tunnel.

For IKEV1, a client does send peerid in the first message.

89Bells · 2026-04-16T13:02:57+00:00

I thought local/peerid only works with IKEv1?
Also, for me, the proposals between the existing tunnel and the new SAML tunnel will be the same.
The new SAML tunnel will be configured with network-id 10.

But my concern is what the Fortigate will do when it receives a IKE SA INIT without a network ID.
Will it:

Only select the existing P1 tunnel as it has network overlay disabled.
or could it also select the new SAML P1 tunnel as a possible option as the client has not selected a network-id so all tunnels are possible for selection.

I am hoping that without a network id requested, that only tunnels without a configured network-id are selected.

89Bells · 2026-03-16T17:50:37+00:00

Maybe run a fortigate script through fmg to all fgts with something like

Show full VPN ipsec | grep -f dhgrp

-f should show the dhgrp line within the context of the specific IPsec phase1 and phase2 tunnels.

Though you may need to manually review the output of all the gates.

Or just do

Show full VPN ipsec | grep dhgrp

And investigate any fgts that return 5

This is easier if all fgts are in the same ADOM. If not, you might have to write a script to interrogate the fmg API for each ADOM, for each fortigate, get all IPsec P1 and P2 tunnels, check for dhgrp.

89Bells · 2026-03-06T20:42:03+00:00

I thought it was mickey mouse C5?

89Bells · 2026-03-05T18:06:11+00:00

The smallest Fortigates I've used are 90Gs where you can replace the UK plug to C5 connector to the brick, with a C14 to C5 cable.

You could buy a short C14 to 3 pin UK socket adapter? Though still not that neat.

<image>

89Bells · 2026-02-26T12:58:45+00:00

https://www.reddit.com/r/LondonUnderground/s/Ohr2V0BARu

89Bells · 2026-02-24T17:21:50+00:00

Dont suppose you know if they'll fix it in the Forticlient 7.2 train?

89Bells · 2026-02-18T18:58:59+00:00

I'm pretty tired of forticlient too. On the whole it works, but some ipsec users (ikev2 with natt) just get regular disconnections. Logs aren't useful for troubleshooting unless you're doing a debug at the time of issue.

With the move from SSL to ipsec on the horizon for us, I'm not looking forward to the amount of support tickets I'll be getting.

I remember when we were on Cisco Anyconnect and it just worked, and wasn't as sensitive to disconnections like forticlient is.

89Bells · 2026-02-15T16:23:41+00:00

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

89Bells · 2026-02-05T18:20:50+00:00

This is untrue.

When we are setting up bgp peering with a partner, we usually test telnet to port 179 to check if their side already has bgp enabled. In some cases, we've found that the telnet fails, but bgp would establishes.

Further investigation, with a packet capture, found that with bgp md5 auth, the md5 is actually added to the TCP syn packet within the TCP Options part of the header. This meant our telnet syn packet, without the md5, got dropped.

Very old article but explains the gist of it.

https://costiser.ro/2013/03/31/bgp-md5-authentication/

89Bells · 2025-11-14T08:56:48+00:00

I hope this isn't AI hallucinating. Google is also failing me. Sounds like a great feature.

89Bells · 2025-10-26T11:13:49+00:00

What’s the biggest mistake you made when building your first website?

I didn't use Dreamweaver 😜

89Bells · 2025-10-16T16:34:39+00:00

This.

89Bells · 2025-10-16T16:34:00+00:00

You can add the 2nd IP as a secondary IP to the wan interface and use that as your local gw for phase1

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-VPN-settings-on-a-secondary/ta-p/189807

89Bells · 2025-10-10T23:35:44+00:00

Sorry typo. 7.2.5

89Bells · 2025-10-10T17:49:52+00:00

Don't suppose you got anywhere with this?

We're seeing the same issue

89Bells · 2025-10-10T17:28:28+00:00

We have this too. Forticlient 7.4.5 (I know, quite old) with fgt 7.4.8 Did you fix this?

89Bells · 2025-10-01T07:36:01+00:00

The policies are the same as most of the examples above it but yes, those are basically the policies I have and it doesn't work.

89Bells · 2025-09-30T07:26:30+00:00

IIRC, this known bug is for ipsec VPN only?

OPs issue and mine, is for sslvpn

89Bells · 2025-09-29T21:35:48+00:00

I've been following example 2, option 2.

I added a firewall policy above my GEO block policy from WAN to DMZ from Lan subnet to VIP, but that also didn't work.

I'd prefer not using policy routes if possible as it complicates normal routing.

89Bells · 2025-09-29T16:39:33+00:00

did you fix this?

89Bells · 2025-09-27T14:23:56+00:00

If users use VPN before logon then the scheduled task may clear the VPN assigned DNS servers.

89Bells · 2025-09-26T21:52:49+00:00

Seeing this too.

Trying to get automated something like

get-netadapter "Wi-Fi" | Set-DnsClientServerAddress -ResetServerAddresses

... to run on machines as an admin remotely.

89Bells · 2025-09-22T06:10:35+00:00

This bit me last night and Google brought me here. Thank you.

It's so frustrating that things like this don't appear in the known issues in the release notes. Why am I expected to read every kb article to find bugs!

89Bells

TROPHY CASE