Configured is a Site-to-site dialup tunnel using Peer ID due to there being multiple tunnels on the same FortiGate in the following example. The tunnel will not come up. The IPv4 Peer ID setting is causing the tunnel to fail and not come up.

All other configurations are correctly set and in place. Remote tunnel settings:

config vpn ipsec phase1-interface

    edit "bgpfun"

        set interface "port3"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha1 aes256-sha1

        set localid "192.168.194.99"

        set localid-type address

        set remote-gw 192.168.194.99

        set psksecret xxxxx A

    Next

end

Local tunnel settings:

config vpn ipsec phase1-interface
    edit "bgpfun"
       set type dynamic
       set interface "port3"
       set mode aggressive
       set peertype one
       set net-device disable
       set proposal aes128-sha1 aes256-sha1
       set dpd on-idle
       set peerid "192.168.194.99"
       set psksecret xxxxx
       set dpd-retryinterval 60
   next
en

IKE debug output.

Snippet:

2025-03-05 16:3:46.059299 ike 0:bgpfun:2783: peer is FortiGate/FortiOS (v0 b0)2025-03-05 16:34:46.059703 ike 0:bgpfun:2783: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D32025-03-05 16:34:46.060180 ike 0:bgpfun:2783: VID FRAGMENTATION  02025-03-05 16:34:46.060704 ike 0:bgpfun:2783: peer identifier IPV4_ADDR 192.168.194.99 2025-03-05 16:34:46.061145 ike

0:bgpfun:2783: error, received 'c' expected '192.168.194.99'0::2784: peer identifier IPV4_ADDR 12.168.194.992025-03-05 16:34:49.009670 ike 0:bgpfun: ignoring IKE request, incorrect ID.

2025-03-05 16:34:46.010366 ike 0::2782: peer identifier IPV4_ADDR 192.168.194.99
2025-03-05 16:34:46.010784 ike 0:bgpfun: ignoring IKE request, incorrect ID.

The debug shows it is failing.

This is because FortiGate cannot use IPv4 as Peer ID is not supported as per the known issue 1109028.

Configure a text string as the Peer ID and Local ID in the tunnel setup.

config vpn ipsec phase1-interface

    edit "bgpfun"

        set interface "port3"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha1 aes256-sha1

        set localid "bgpfun”

        set remote-gw 192.168.194.99

        set psksecret xxxxx

    Next

end

The local tunnel settings:

config vpn ipsec phase1-interface

    edit "bgpfun"

        set interface "port3"

        set mode aggressive

        set peertype one

        set net-device disable

        set proposal aes128-sha1 aes256-sha1

        set remote-gw 192.168.194.50

        set peerid "bgpfun"

        set psksecret xxxxx

   next

end

This will work.

This functionality has been added in v7.6.3 but will not be back-ported to previous versions. If it is not possible to utilize v7.6.3, it is suggested to configure the remote peer to send FQDN or KEYID ID types.

Related article:

Technical Tip: How to configure a FortiGate as IPsec VPN Dial-Up client when FortiGate is not behind... 

Technical Tip: How to use Peer IDs to select an IPsec dialup tunnel on a FortiGate configured with m...