Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
markdr_FTNT
Staff
Staff

Created on ‎10-18-2004 12:00 AM Edited on ‎03-17-2025 01:02 AM By Community Manager

Article Id 192292

Technical Tip: How to use Peer IDs to select an IPsec dialup tunnel on a FortiGate configured with multiple dialup tunnels

Description


This article describes how to use Peer IDs to select an IPsec dial-up tunnel on a FortiGate configured with multiple dial-up tunnels.

 

Scope

 

FortiGate.

 

Solution

Dialup VPN tunnels are used when the remote VPN gateway or remote VPN client IP address is dynamic and therefore unknown.

Many users use a single dialup tunnel (Phase 1 and Phase 2) for all remote dialup VPN gateways and clients.

Note: Multiple Peer IDs are used when only one wan interface is used for multiple IPsec connection


In some cases, multiple dial-up tunnels are required.

For example:
To grant different remote VPN client users access to different networks and services.
To grant remote VPN gateways access to different networks and services.

FortiGates uses Peer IDs as the unique identifier to select a dialup tunnel. When multiple dialup tunnels are added, give each tunnel a different Peer ID.
Assign corresponding Peer IDs to remote VPN gateways and remote VPN clients.


To be able to add a Peer ID on an IPsec tunnel created by the wizard there are 2 options:

 

  1. Using the CLI.

anignan_0-1668197476261.png

 

  1. Using the GUI: Aggressive mode configuration in the first dialup tunnel.

Note:

When the IPsec tunnel is created by the wizard, there is no GUI option to add a peer ID until converting the IPsec Tunnel to a custom tunnel.

 

Untitled.gif

 

 
The Peer ID also works with the main mode but in the main mode, both peers authenticate each other based on their IP addresses by default. So, the peer ID is not required in this case. Only if the remote peer has dynamic IP or non-IP-based method like DDNS, the peer ID is required.
IKEv2 also supports the Peer ID but it also requires to setting a local ID which is by default automatically set as the own identity of FortiGate, where the IKEv1 does not use any localID for identity declaration.  

Edit the second dialup tunnel and select the next Peer ID (different than any other Peer ID configured):

 
FortiClient Configuration:
 
 
Debug verification for each tunnel:

The below commands enable IKE to debug logs:

diagnose debug reset
diagnose debug application ike -1
diagnose debug enable
tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=df23d7be2de17010/0000000000000000 len=511ike 0:df23d7be2de17010/0000000000000000:0: responder: aggressive mode get 1st message...
......
ike 0::0: received peer identifier FQDN 'dialup1'
 
To disable debug:
 
diagnose debug disable
diagnose debug reset
 
From the FortiGate IPSec Monitor tab:
 
kb_1912_4.png

 

For the second peer id (dialup2):
 
tau-kvm68 # ike 0: comes 10.5.22.160:1011->10.5.22.168:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=d74d09b92f8f1cbd/0000000000000000 len=511
......
ike 0::1: received peer identifier FQDN 'dialup2'
84004
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.