Description
This article explains how to use PeerID and LocalID in FortiGate to handle multiple dial-up IPsec VPNs configured on the same WAN interface.
Scope
FortiGate.
Solution
When there are two or more dial-up IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.
Local ID is an extra piece of data delivered during phase 1 of negotiation; the remote side may be set up to check for a particular ID to permit connection.
This article will explore an example use case, featuring:
- A dial-up IPsec VPN between two FortiGates, where one FortiGate is acting as dial-up server and the other as dial-up client.
- Several dial-up IPsec VPNs are already configured on the same FortiGate.
On the FortiGate acting as IPSEC dial-up Server:
config vpn ipsec phase1-interface
edit <phase1_name>
set type dynamic
set ike-version 1
set mode aggressive
set peertype one
set peerid "ftnt-peer"
end
On the FortiGate acting as IPSEC dial-up Client:
config vpn ipsec phase1-interface
edit <phase1_name>
set type static
set ike-version 1
set mode aggressive
set localid-type auto
set localid "ftnt-peer"
end
Note that if there are two dial-up IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.
Related articles:
Fortigate as DialUp client.
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe....- FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco.
