DescriptionIn certain dynamic IPsec VPN configurations where an incoming connection matches the configurations of two or more IPsec tunnel configurations, the Responder IPsec VPN gateway selects the tunnel based on the following criteriaSolutionWhen the first phase-1 IPsec packet arrives, the FortiGate acting as the responder uses the first phase 1 configuration (in alphabetical order) that matches the following:
- Local gateway.- Mode (aggressive or main).- Peer ID (if aggressive).- Authentication method (pre-shared key or certificate).- Certificate information (if certificate).- Proposal.- DH group.Important: Pre-shared key itself is not a part of the matching criteria.However, in some circumstances, FortiOS can switch to a different phase 1, if it finds that it initially selected the wrong phase 1.
This is called gateway re-validation and only applies to the following:
- IKEv1 with certificate authentication.- IKEv2 with pre-shared key authentication.- IKEv2 with certificate authentication.Example.
- Multiple dialup VPNs with pre-shared keys, the same local gateway, and the same SA settings, should use aggressive mode and different peer IDs.
Using this method, the FortiGate identifies the right VPN configuration for each incoming IPsec proposal.
Technical Tip: How to use Peer IDs to select an IPSec dialup tunnel on a FortiGate configured with m...