FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196761



This article explains how to use PeerID and LocalID in FortiGate to handle multiple dial-up IPsec VPNs configured on the same WAN interface.







When there are two or more dial-up IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.

Local ID is an extra piece of data delivered during phase 1 of negotiation; the remote side may be set up to check for a particular ID to permit connection.


This article will explore an example use case, featuring:

  • A dial-up IPsec VPN between two FortiGates, where one FortiGate is acting as dial-up server and the other as dial-up client.
  •  Several dial-up IPsec VPNs are already configured on the same FortiGate.


On the FortiGate acting as IPSEC dial-up Server:

config vpn ipsec phase1-interface
    edit <phase1_name>
        set type dynamic
        set ike-version 1

        set mode aggressive

        set peertype one
        set peerid "ftnt-peer"




On the FortiGate acting as IPSEC dial-up Client:


config vpn ipsec phase1-interface
    edit <phase1_name>
        set type static
        set ike-version 1

        set mode aggressive
        set localid-type auto
        set localid "ftnt-peer"




Note that if there are two dial-up IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.

Related articles:
Fortigate as DialUp client.
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe....- FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco.