I have a question about IPSec VPNs.I have one IPSec VPN current up and running on my WAN interface. This VPN is Site-to-Site with a remote location.
I want to add an L2TP IPSec VPN for my teleworkers, so this would be a Dialup VPN. This also needs to be configured on the WAN Interface.
Will this conflict with the existing S2S VPN? I have read a lot of the manuals but am not finding a definite answer.I know that the FortiGate 60D can house a lot of VPN entries, but I just need to confirmation that I won't killthe current S2S VPN by creating a new one.
As long as your site to site tunnel is of type "static", meaning that you have defined a remote IP for the other end of the tunnel then there wouldnt be any conflict as IKE would only select your site to site phase1 definition if the remote IP matches.
Your L2TP definition would be of type "dialup", in which case there is no remote IP defined in the phase1 - we dont know from what address users will connect _and_ there will be many connecting users. Dialup phase1 type acts as a "template" interface, allowing multiple connections as you would expect for dialup users. This is also used for connecting site to site with other devices, a topic you can find out more about in the VPN section of http://cookbook.fortinet.com.
Thus in summary, you are OK to proceed in this case. A situation where you would have contentious selection of the proper tunnel definition is if you had multiple "dialup" type tunnel definitions. Without going into too much details on match criterias for these situations, you would use IKEv1 aggressive mode to route incoming connections in this case. Thats not always possible, but its one technique that works.
Hope this helps!
Principal Presales Security Expert
I'm going to setup the additional Dialup VPN along side the S2S VPN.Thanks for your input!!