Technical Tip: Configuring Remote ID (Peer ID) for an IPsec VPN Tunnel between FortiGate and a Third-Party Firewall

Description

This article describes how to configure a Remote ID (Peer ID) for an IPsec VPN tunnel between a FortiGate firewall and a third-party VPN peer.

Scope

FortiGate.

Solution

During the IKE Phase 1 negotiation, VPN peers exchange identity information to verify that they are communicating with the expected remote device. This identity is commonly referred to as the Peer ID, Remote ID, or IKE Identity.

The Peer ID is particularly important in scenarios where:

• The remote peer is identified by a hostname or Fully Qualified Domain Name (FQDN) rather than its IP address.

• The remote device is behind NAT, and its public IP address may change.

• Multiple VPN tunnels terminate on the same VPN gateway.

• The VPN peer requires identity-based authentication as part of the IKE negotiation process.

If the received identity does not match the expected Peer ID configured on the FortiGate, Phase 1 negotiation may fail, resulting in tunnel establishment issues.

Configuring a Peer ID on FortiGate.

To configure a specific Peer ID, the Phase 1 interface must use Aggressive Mode, which allows the use of peertype one together with a defined peerid value.

Configure the Phase 1 settings as follows:

config vpn ipsec phase1-interface
edit "VPN_TUNNEL_NAME"
set mode aggressive
set peertype one
set peerid "REMOTE-ID"
next
end

Where:

• Mode aggressive enables identity exchange during the initial IKE negotiation.

• peertype one instructs FortiGate to verify a specific peer identity.

• peerid defines the expected identity value that the remote peer must present.

Example debug output.

The following debug output shows FortiGate receiving and validating the Peer ID branch-office1 from the remote peer during IKE Phase 1 negotiation for tunnel VPN_TUNNEL:

2026-06-03 10:15:42 ike 0:VPN_TUNNEL: received Aggressive Mode packet
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: processing ID payload
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: peer identifier received: branch-office1
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: configured peerid: branch-office1
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: peer ID matched
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: authentication successful
2026-06-03 10:15:42 ike 0:VPN_TUNNEL: IKE SA established

Note: The configured Peer ID must exactly match the identity configured and transmitted by the remote VPN device during IKE negotiation. When the remote device initiates the tunnel, FortiGate verifies that the received identity matches the configured Peer ID before completing Phase 1 establishment. This helps ensure that the VPN tunnel is established only with the intended peer.