FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 196761


Description

 

This articles explains how to use PeerID and LocalID in FortiGate to handle multiple dialup IPsec VPNs configured on the same WAN interface.

 

Scope

 

FortiGate.


Solution

 

When there are two or more dialup IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, then all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.

 

This article will explore an example use case, featuring:

- A dialup IPsec VPN between two FortiGates, where one FortiGate is acting as dialup server and the other as dialup client.

- Several dialup IPsec VPNs already configured on the same FortiGate.

 

On the FortiGate where a static IP is used on the WAN interface, the following must be configured:

 

# config vpn ipsec phase1-interface
    edit <phase1_name>
        set mode aggressive
        set type static
        set peertype one
        set peerid "ftnt-peer"
    end

 

On the FortiGate where a dynamic IP is used on the WAN interface, the following must be configured:

 

# config vpn ipsec phase1-interface
    edit <phase1_name>
        set type dynamic
        set mode aggressive
        set localid-type auto
        set localid "ftnt-peer"
    end

 

Note that if there are two dialup IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.

Related document:
Fortigate as DialUp client 
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe...
FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco