Ultimate FortiGate Multi Dial-Up VPN Hub (IKEv2 + PSK)
Description
Configure FortiGate hub with multiple dial-up IPsec VPN clients using IKEv2 & PSK. Includes GUI+CLI setup, advanced config and troubleshooting for production.
Scope
This article covers:
- Hub-and-spoke VPN architecture
- Multiple dial-up clients connecting to one FortiGate hub
- IKEv2 + PSK authentication
- Full CLI configuration (no missing lines)
- Firewall policies, routing, and tunnel behavior
- Advanced troubleshooting using diagnostic commands
This is ideal for enterprise networks and scalable VPN deployments.
Solution
Topology Overview
- Hub (HQ FortiGate) → Static public IP
- Spokes (Branch FortiGates) → Dynamic IP (dial-up)
- Multiple clients connect to one Phase1 interface
STEP 1: Configure HUB (Dial-Up Server)
Phase1 Interface (IKEv2 + PSK + Multiple Clients)
config vpn ipsec phase1-interface
edit "Dialup_Hub"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes128-sha256
set dpd on-idle
set nattraversal enable
set psksecret sample
set add-route disable
next
end
Phase2 Interface
config vpn ipsec phase2-interface
edit "Dialup_Hub_p2"
set phase1name "Dialup_Hub"
set proposal aes256-sha256 aes128-sha256 aes256gcm
set auto-negotiate enable
next
end
Address Objects
config firewall address
edit "HQ_LAN"
set subnet 10.1.100.0 255.255.255.0
next
edit "ALL"
set subnet 0.0.0.0 0.0.0.0
next
end
Firewall Policy (Allow Multiple Clients)
config firewall policy
edit 1
set name "Dialup-Inbound"
set srcintf "Dialup_Hub"
set dstintf "internal"
set srcaddr "ALL"
set dstaddr "HQ_LAN"
set action accept
set schedule "always"
set service "ALL"
next
end
STEP 2: Configure SPOKE (Dial-Up Client)
Phase1 Interface (IKEv2 Client)
config vpn ipsec phase1-interface
edit "to_Hub"
set interface "wan1"
set ike-version 2
set peertype any
set net-device enable
set proposal aes256-sha256 aes128-sha256
set remote-gw <HUB_PUBLIC_IP>
set psksecret sample
set dpd on-idle
set nattraversal enable
next
end
Phase2 Interface
config vpn ipsec phase2-interface
edit "to_Hub_p2"
set phase1name "to_Hub"
set proposal aes256-sha256 aes128-sha256 aes256gcm
set auto-negotiate enable
next
end
Static Route (IMPORTANT)
config router static
edit 1
set dst 10.1.100.0 255.255.255.0
set device "to_Hub"
next
edit 2
set dst 10.1.100.0 255.255.255.0
set blackhole enable
set distance 254
next
end
Firewall Policy (Outbound)
config firewall policy
edit 1
set name "Spoke-to-Hub"
set srcintf "internal"
set dstintf "to_Hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Troubleshooting (VERY IMPORTANT)
Enable Debug
diagnose debug reset
diagnose debug application ike -1
diagnose debug enable
❌ Common Error (PSK Mismatch)
probable pre-shared secret mismatch
Fix: Ensure PSK is identical on all devices
❌ IKEv2 Failure
no proposal chosen
Fix:
- Match encryption proposals on both sides
- Ensure
ike-version 2on both
Check Tunnel Status (HUB)
diagnose vpn ike gateway list
Expected:
IKE SA: established
IPsec SA: established
Check Tunnel Details
diagnose vpn tunnel list
Look for:
name=Dialup_Hubmode=dialupenc/dec packets increasing
Check Traffic Flow
txp/rxpshould increase- If 0 → firewall or routing issue
Important Notes
- Hub supports multiple clients using one Phase1
- Always use:
set ike-version 2set nattraversal enable
- Use blackhole route to avoid traffic leak
- Ensure matching proposals
- Use strong encryption (AES256) in production
FAQ
Can multiple clients connect to one hub?
Yes, this is the main purpose of dial-up VPN.
Why use IKEv2 instead of IKEv1?
IKEv2 is:
- Faster
- More secure
- Better for NAT environments
Why is my tunnel up but no traffic?
Check:
- Firewall policies
- Static routes
- Phase2 selectors
Do I need separate Phase1 for each client?
No, one dynamic Phase1 handles all clients
What is the biggest mistake?
- PSK mismatch
- Missing route
- Wrong interface selection