Refer to the exhibits.
Topology -
Configuration -
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?
In this scenario, where ADVPN is needed across multiple underlays and a single IP address must be used on the Hub FortiGate, the appropriate feature to implement is the network-overlay ID. This feature ensures that multiple IKEv2 tunnels can be established between the same local and remote IP addresses by differentiating the tunnels using the network-overlay ID. This allows the configuration requirements to be met without changing the version of IKE or relying on local IDs, which are not designed to handle multiple tunnels with the same IP pairs. Thus, the answer is to use network-overlay ID.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-case-of-Network-Ids-with-ADVPN-shortcut/ta-p/241025
The network ID is a Fortinet-proprietary attribute that is used to select the correct phase 1 between IPsec peers, so that multiple IKEv2 tunnels can be established between the same local/remote gateway pairs.In static phase 1 configurations, network-id is used with the pair of gateway IPs to negotiate the correct tunnel with a matching network-id. This allows IPsec peers to use the same pair of underlay IPs to establish multiple IPsec tunnels. Without it, only a single tunnel can be established over the same pair of underlay IPs.
Without Local-id hubs won't be able to connect to hub, they dont know to which VPN connect. Network-id would be used if hubs would have only one ISP, which is not the case.
A is correct
It is not possible to establish two IPSEC tunnels between the same two FGT IPs, unless the Network Overlay ID differs between these two tunnels. Thus, the answer is A.