| Description | This article describes using Peer ID to select between multiple IPsec dial-up tunnels. While this approach is valid for IKEv1 (especially Aggressive Mode), it is not the primary or recommended tunnel-selection mechanism for IKEv2. |
| Scope | FortiGate. |
| Solution |
Dial-up VPN tunnels are used when the remote VPN gateway or remote VPN client IP address is dynamic and therefore unknown. Many users use a single dial-up tunnel (Phase 1 and Phase 2) for all remote dial-up VPN gateways and clients. When multiple IKEv1 Dialup IPSec connections are configured on one WAN interface, only the first Dialup connection is checked by the FortiGate. Peer IDs are used in this kind of scenario; the FortiGate uses the peer ID to know which phase1 the FortiClient needs to match.
Note: When the IPsec tunnel is created by the wizard, there is no GUI option to add a peer ID until converting the IPsec Tunnel to a custom tunnel.
 The Peer ID also works with the main mode, but in the main mode, both peers authenticate each other based on their IP addresses by default. So, the peer ID is not required in this case. Only if the remote peer has a dynamic IP or a non-IP-based method like DDNS is the peer ID required.
For IKEv2, FortiGate does not primarily use Peer ID to select between multiple dialup Phase1 configurations. Instead, FortiGate uses the Network ID attribute to distinguish and select the appropriate IKEv2 dial-up tunnel.
Edit the second dial-up tunnel and select the next Peer ID (different than any other Peer ID configured): 
Note:
There is no limit on the number of custom tunnels that can be created using different Peer IDs. The actual number of configurable tunnels depends on the FortiGate model (see the maximum value table of IPSec tunnels, vpn.ipsec.phase1) and available bandwidth.
FortiClient Configuration:
Debug verification for each tunnel:
The following commands enable IKE to debug logs: diagnose debug reset diagnose debug application ike -1 diagnose debug enable tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3.... ike 0: IKEv1 exchange=Aggressive id=df23d7be2de17010/0000000000000000 len=511ike 0:df23d7be2de17010/0000000000000000:0: responder: aggressive mode get 1st message... ...... ike 0::0: received peer identifier FQDN 'dialup1' To disable debug:
diagnose debug disable
diagnose debug reset
From the FortiGate IPSec Monitor tab:
For the second peer ID (dialup2):
tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=d74d09b92f8f1cbd/0000000000000000 len=511 ...... ike 0::1: received peer identifier FQDN 'dialup2'  From v7.6.0, IPsec has the option to match the ZTNA TAG for dial-up IPsec connections. Refer to the document for more information: Security posture tag match enforced before dial-up IPsec VPN connection.
Note:
IPv4 address is not supported for a Peer ID setup for IPsec VPN tunnels. Refer to the document for more information: Troubleshooting Tip: The IPv4 address is not supported for Peer ID for IPsec vpn tunnels.
Technical Tip: How to configure a FortiGate as IPsec VPN Dial-Up client when FortiGate is not behind... Technical Tip: IPSec dial-up full tunnel with FortiClient Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication |
