- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Site2Site IPSec no remote ID Option
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site2Site IPSec no remote ID Option
Hi
Why does fortigate doesn't have a Peer-ID option in the IPSec Site2Site Phase 1 Configuration? This is a normal option which doesn't have to be same value as the Remote IP.
Every other firewall which I used before was able to configure this value
- Cisco
- Sophos SG/XG - Sonicwall
- pfSense
- vmware Edge
- Zyxel
We need this option because on the other site we have to connect multiple fortigates to the same firewall (not a fortigate). Which normally could be identified seperately with the remote-id option. If this option is not available we have to use the wildcard * in that field.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To my knowledge it will effectively rely on IPs as it's ID in ike2/ike1 main mode, local-ID is configurable while remote is not in ike2/ike1 main. Which I've never seen be a problem personally unless we are getting into double NAT scenarios.
Personally, I don't really see the problem as I never use ID's for site to site unless it's a weird NATing scenario, but if you absolutely need to identify remote peer ID's you could make it an ike1 aggressive tunnel.
Though, from your description it sounds like you more want to specify the remote-id on the other end, which you can do and enter the local-id on the fortigate side(though again, I don't really see a need for)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brycemd
Yes but why is every vendor handling this different and fortigate has not the option for that?
you're right normally you use the IP as ID but we had some special HA VPN Configuration which we had to use a string as a ID. IKEv1 is not an option because it's not state of the art anymore.
Our Problem:
Forti Site 1: IP 2.2.2.2, Local subnet 10.2.0.0/24 Forti Site 2: IP 3.3.3.3, Local subnet 10.3.0.0/24
The other sites which connects both Sites on a NSX Edge needs the remote ID.
Config 1: Remote ID *, Remote IP 2.2.2.2, Remote net 10.2.0.0/24
Config 1: Remote ID *, Remote IP 3.3.3.3, Remote net 10.3.0.0/24
But you cannot use * as a remote id twice because it has to be unique. So I cannot setup two tunnels to 2 Fortigates because they don't support the remote ID.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think, since I didn't have to do this before, in case the FGT is a remote side while the other side (another vendor's equipment) is HUB side, you can use "Custom" instead of site-to-site, or use CLI, to set aggressive mode so that you can specify peerid. I might have done this long time ago (more than 10yrs) but it was not interface mode at that time and command line must be quite different now.
I would open a ticket at TAC to get help. Bottom line is it's doable, I think.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But isn't that remote-id from the other end's perspective? Specify the local-id on the fortigate to match? remote-id does not match with remote-id
Fortigate | NSX
Local ID - Match with other side remote | Remote ID - match with other side local
Remote ID - accepts any | Local ID - whatever you want
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can specify peer-id for ipsec ikev2 in Fortigate if you set-up your "Remote gateway" as Dialup User
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if the device is dynamic peer-id can be used. To the original-poster if you use rsa signature you can defined peer-id by CN . That could be an alternative and a viable solution for you. Yes I agree , you should be-able to use local/remote IDs regardless and like almost every other vendor, forcepoint,junos,strongswan,palo,etc.......
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- Fortclient VPN Client Linux - IPSEC... 267 Views
- Fortigate with Mikrotik Site to site... 362 Views
- SSLVPN SSO - access denied and... 506 Views
- Branch site internet over ipsec vpn... 205 Views
- Configure fortilink for fortiswitch over wifi... 577 Views
Labels
-
FortiGate
6,423 -
FortiClient
1,280 -
5.2
801 -
5.4
639 -
FortiManager
558 -
6.0
416 -
FortiAnalyzer
408 -
5.6
362 -
FortiSwitch
330 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
62 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.