Description
This articles explains how to use PeerID and LocalID in FortiGate to handle multiple dialup IPsec VPNs configured on the same WAN interface.
Scope
FortiGate.
Solution
When there are two or more dialup IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, then all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.
This article will explore an example use case, featuring:
- A dialup IPsec VPN between two FortiGates, where one FortiGate is acting as dialup server and the other as dialup client.
- Several dialup IPsec VPNs already configured on the same FortiGate.
On the FortiGate where a static IP is used on the WAN interface, the following must be configured:
# config vpn ipsec phase1-interface
edit <phase1_name>
set mode aggressive
set type static
set peertype one
set peerid "ftnt-peer"
end
On the FortiGate where a dynamic IP is used on the WAN interface, the following must be configured:
# config vpn ipsec phase1-interface
edit <phase1_name>
set type dynamic
set mode aggressive
set localid-type auto
set localid "ftnt-peer"
end
Note that if there are two dialup IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.
Related document:
Fortigate as DialUp client
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe...
FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco
