Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mribbans_FTNT
Staff
Staff

Created on ‎10-18-2004 12:00 AM Edited on ‎11-11-2022 12:15 PM By Staff

Article Id 192292

Technical Tip: How to use Peer IDs to select an IPSec dialup tunnel on a FortiGate configured with multiple dialup tunnels

Description


This article describes how to use Peer IDs to select an IPSec dialup tunnel on a FortiGate configured with multiple dialup tunnels.

Dialup VPN tunnels are used when the remote VPN gateway or remote VPN client IP address is dynamic and therefore unknown.

Many customers use a single dialup tunnel (Phase 1 and Phase 2) for all remote dialup VPN gateways and clients.


In some cases, multiple dialup tunnels are required.

For example:
To grant different remote VPN client users access to different networks and services.
To grant remote VPN gateways access to different networks and services

FortiGates use Peer IDs as the unique identifier to select a dialup tunnel. When multiple dialup tunnels are added, give each tunnel a different Peer ID.
Assign corresponding Peer IDs to remote VPN gateways and remote VPN clients.

 

When the IPsec tunnel is created by wizard there is no GUI option to add a peer ID. In order to be able to add a Peer IP on an IPsec tunnel created by wizard there are 2 options:

1) Using the CLI

anignan_0-1668197476261.png

 

2) Convert the IPsec Tunnel to a custom tunnel

anignan_1-1668197577594.png

 

 

Aggressive mode configuration:


Second dialup tunnel:

 
FortiClient Configuration:
 
Debug verification for each tunnel:

Using below commands enables IKE debug logs:

# diag debug reset
# diag debug application ike -1
# diag debug enable
tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=df23d7be2de17010/0000000000000000 len=511ike 0:df23d7be2de17010/0000000000000000:0: responder: aggressive mode get 1st message...
......
ike 0::0: received peer identifier FQDN 'dialup1'

From FortiGate IPSec Monitor tab:
 
 
For the second peer id (dialup2):
 
tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=d74d09b92f8f1cbd/0000000000000000 len=511
......
ike 0::1: received peer identifier FQDN 'dialup2'
 
47838
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.