I just found out this issue:
I set up a dial up IPSec. It is configured to do ike v2 and only accept one specific peer id.
I then downloaded and installed latest FortiClient VPN 7 (as I just need VPN for testing this).
I configured that IPSec in my FortiClient and tried to connect. This failed.
Looking in the ike debug log on my FGT I saw that on my connection attempt there
was no peer id sent at all.
that the peer id is submitted by the FortiClient but the timing is wrong. Accoarding to th log the peer id was submitted way after it already negotiated proposals and matched a (wrong) gateway.
In consequence the request matched a wrong gateway and due to that then psk auth failed.
If I reconfigure that IPSec to do ike v1 instead with the rest set all the same as before and then again try to connect my FortiClient then it connects successfully. IKE Debug log on the FGT then shows that in the connection attempt the correct peer id had been submitted and it matched the correct gateway.
So I gues that is a nasty bug in FortiClient. You can configure it to a specific peer id even in ike v2 but it seems to never send that to the remote gateway. This is very very bad behaviour if you need to use more then one dial up ipsec....
I also opened a ticket with TAC on this...we'll see what they say.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams