Created on
04-19-2016
03:36 AM
Edited on
09-20-2023
11:26 AM
By
Kush_Patel
Description
This article explains how to use PeerID and LocalID in FortiGate to handle multiple dial-up IPsec VPNs configured on the same WAN interface.
Scope
FortiGate.
Solution
When there are two or more dial-up IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.
Local ID is an extra piece of data delivered during phase 1 of negotiation; the remote side may be set up to check for a particular ID to permit connection.
This article will explore an example use case, featuring:
On the FortiGate acting as IPSEC dial-up Server:
config vpn ipsec phase1-interface
edit <phase1_name>
set type dynamic
set ike-version 1
set mode aggressive
set peertype one
set peerid "ftnt-peer"
end
On the FortiGate acting as IPSEC dial-up Client:
config vpn ipsec phase1-interface
edit <phase1_name>
set type static
set ike-version 1
set mode aggressive
set localid-type auto
set localid "ftnt-peer"
end
Note that if there are two dial-up IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.
Related articles:
Fortigate as DialUp client.
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe....- FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.