Description

This article describes how to use Peer IDs to select an IPsec dial-up tunnel on a FortiGate configured with multiple dial-up tunnels.

Scope

FortiGate.

Solution

Dialup VPN tunnels are used when the remote VPN gateway or remote VPN client IP address is dynamic and therefore unknown.

Many customers use a single dialup tunnel (Phase 1 and Phase 2) for all remote dialup VPN gateways and clients.

Note: Multiple Peer IDs are used when only one wan interface is used for multiple IPsec connection

In some cases, multiple dial-up tunnels are required.

For example:
To grant different remote VPN client users access to different networks and services.
To grant remote VPN gateways access to different networks and services

FortiGates uses Peer IDs as the unique identifier to select a dialup tunnel. When multiple dialup tunnels are added, give each tunnel a different Peer ID.
Assign corresponding Peer IDs to remote VPN gateways and remote VPN clients.

To be able to add a Peer ID on an IPsec tunnel created by the wizard there are 2 options:

1. Using the CLI

2. Using the GUI: Aggressive mode configuration in the first dialup tunnel:

Note:

When the IPsec tunnel is created by the wizard, there is no GUI option to add a peer ID until convert the IPsec Tunnel to a custom tunnel.

 

 

 

 

From  v7.6.0, IPsec has the option to match the ZTNA TAG for dial-up IPsec connection. Refer to the doc for more information: Security posture tag match enforced before dial-up IPsec VPN connection

 

Related articles:

Technical Tip: How to configure a FortiGate as IPsec VPN Dial-Up client when FortiGate is not behind...

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication