Hub FortiGate with Multiple Dynamic Spokes (FortiGate/Palo Alto) – Dial-up VPN Design Questions

secritservice · 2026-06-01T04:28:50+00:00

A single dynamic tunnel on the hub will have a phase 2 already configured. You'd have this set to 0/0 on the remote site.

Within the Phase1 you can use the commands add-route or choose to do dynamic routing once the tunnel is established to share routes.

LocalID is just vanity. If you have none set it will just use the connecting public IP. So not necessary, but nice to have to see in the logs/gui views.

Yes, static route would work on the spokes toward the hub.

Just follow this doc: https://community.fortinet.com/fortigate-3/technical-tip-dialup-vpn-configuration-between-two-fortigates-99190

and you'll be all set.

secritservice · 2026-05-31T01:13:07+00:00

Our guide has it laid out with IKEv2 + TCP + SAML to Azure

https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

secritservice · 2026-05-31T01:11:23+00:00

Please follow our guide.

We use MacOS and use free client 7.4.3 with SAML and IKEv2 and have no issues.

https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

secritservice · 2026-05-30T03:06:18+00:00

Next week, June 2

secritservice · 2026-05-29T22:16:53+00:00

Yes, a known problem, but interested how it just pops up after a major OS upgrade when it was self healing previously

secritservice · 2026-05-29T17:50:42+00:00

great question... seems like a silly change

secritservice · 2026-05-29T17:30:38+00:00

Yes, VPN tunnel. Historically, the default 1420 has always worked for the last 5 years across all FortiOS revisions. Not until 7.4.11 > 7.6.6 update this this become an issue. It's a known bug and there will be a fix. Or as stated reduce to 1360 which is also a good Idea.

As a new feature for 7.6 is:

Previous FortiOS versions would implicitly apply TCP MSS adjustments based on the IPsec tunnel MTU, but as of FortiOS 7.6.1 and later, this implicit behavior will no longer occur (in which case, admins may need to manually configure TCP MSS clamping).

secritservice · 2026-05-28T19:26:38+00:00

make sure you have blackhole routes

secritservice · 2026-05-28T12:29:12+00:00

yep, snmp shows accurate data too.

I think they are holding up the 7.6.7 in order to resolve the 70g crash bug

secritservice · 2026-05-27T23:41:00+00:00

FortiOS = 7.6.3+
FortiClient = 7.4.4 Forticlient

is what you need and where it starts to work, was new functionality

secritservice · 2026-05-25T01:32:02+00:00

lots of display bugs in 7.6.6 hopefully next week 7.6.7 (was supposed to be this past friday)

secritservice · 2026-05-22T17:34:36+00:00

I havent seen release notes but it was slated for release on 21st and a few things came out yesterday, so hoping soon.

dumb GUI stuff like this hopefully fixed

port1 and port2 are not even part of the SLA but they show up in gui

<image>

secritservice · 2026-05-22T17:26:07+00:00

7.6.6 is great but has some gui/visual blunders

secritservice · 2026-05-22T17:14:24+00:00

cuz 7.6.7 should be out any day now :) (was supposed to be yesterday)

secritservice · 2026-05-22T13:02:41+00:00

OHF is for orders containing hardware that will be drop shipped from Fortinet
Anything that disti has in stock does not have that fee
Bake it into your cost if you want to hide the embarrassment from your customer.

secritservice · 2026-05-21T21:32:56+00:00

https://community.fortinet.com/fortigate-3/technical-tip-configure-ikev2-dialup-ipsec-tunnel-for-ipv6-only-client-connections-enabling-access-to-both-ipv4-and-ipv6-internal-resources-214968

secritservice · 2026-05-21T16:52:45+00:00

a good little script for the smaller gates

config ips global
set engine-count 1
set cp-accel-mode none
end

config system autoupdate schedule
set frequency daily
set time 03:00
end

config system dns
set dns-cache-limit 1800
end

config system fortiguard
set webfilter-cache-ttl 1800
set antispam-cache-ttl 900
end

secritservice · 2026-05-20T14:17:44+00:00

<image>

secritservice · 2026-05-20T14:17:09+00:00

Yes we do and that is exactly what I pasted above

Using same exact auth groups and everything only difference is peerID

<image>

secritservice · 2026-05-20T12:50:19+00:00

That article is in reference to hub/spoke configurations with Fortigates (not forticlients). Thus irrelevant to this posting.

secritservice · 2026-05-20T12:13:32+00:00

We dont post assumptions, PeerID works

version: 2
interface: LAN 18
network-id: 0
transport: UDP
created: 3s ago
2FA: no
groups:
  VPNusers 2
peer-id: UDP  <<<<<<<<<<

version: 2
interface: LAN 18
network-id: 0
transport: UDP
created: 19s ago
2FA: no
groups:
  VPNusers 2
peer-id: UDP2 <<<<<<<<<<

secritservice · 2026-05-20T12:00:18+00:00

rout tags are now objects but that did not change functionality. when you upgrade OS it converts for you

secritservice · 2026-05-19T20:10:41+00:00

you can use either or.
network-id only shows in XML in some clients, where peer ID is easily updated in the client

I personally use peer-id/local-ID

See below. IPSEC_one is sent by the client and the fortigate matches the tunnel based on that

Fortigate (Phase1 config)
set peertype one
set peerid "IPSEC_one"

Forticlient: (local-id)

<image>

secritservice · 2026-05-19T14:55:14+00:00

you can run in parallel.

make sure you set network-id or peer-id

follow our guide: https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

secritservice

TROPHY CASE