Description
This article explains how to use PeerID and LocalID in FortiGate to handle multiple dial-up IPsec VPNs configured on the same WAN interface.
Scope
FortiGate.
Solution
When there are two or more dial-up IPsec VPN tunnels configured on the same unit using the same WAN connection, peerID plays a role in deciding where connections go. If peerID is not defined, all connections will go to the first default tunnel. Aggressive mode must also be used under phase1 settings.
Local ID is an extra piece of data delivered during phase 1 of negotiation; the remote side may be set up to check for a particular ID to permit connection.
This article will explore an example use case, featuring:
- A dial-up IPsec VPN between two FortiGates, where one FortiGate is acting as dial-up server and the other as dial-up client.
- Several dial-up IPsec VPNs are already configured on the same FortiGate.
On the FortiGate acting as an IPsec dial-up server:
config vpn ipsec phase1-interface
edit <phase1_name>
set type dynamic
set ike-version 1
set mode aggressive
set peertype one
set peerid "ftnt-peer"
end
On the FortiGate acting as an IPsec dial-up Client:
config vpn ipsec phase1-interface
edit <phase1_name>
set type static
set ike-version 1
set mode aggressive
set localid-type auto
set localid "ftnt-peer"
end
Note that if there are two dial-up IPsec VPN tunnels configured and both are using different wan connections, it is not necessary to use peerID.
To check the Peer-ID on the Dial-Up Server, follow the procedure below in the FortiGate Dashboard:
Navigate to Network -> IPSec Widget.
When the FortiClient is acting as a dialup client, add the local id <peer id> in Phase-1 settings in FortiClient.
To add the peer-id <local id>, Open FortiClient -> edit the IPsec VPN tunnel (create new) -> Select Advanced Settings -> Select Phase1 under VPN settings -> Enter local ID.
Additionally, check the Peer-ID by running the IKE debug with the following commands:
diagnose debug application ike -1
diagnose debug enable
ike 0:a33fff6f57e6a96d/0000000000000000:18: responder: aggressive mode get 1st message...
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:a33fff6f57e6a96d/0000000000000000:18: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0::18: received peer identifier FQDN 'ftnt-peer'
Related articles:
How to use local-ID type IP address other than the IP addresses configured in the interface for IPSe....- FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco
FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
