Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EricS
New Contributor II

Created on ‎02-10-2025 09:07 AM Edited on ‎02-10-2025 09:08 AM

PeerID/LocalID on IPSec client VPN

Hello,

I'm currently configuring a second client IPSec VPN. The new uses IKEv2, on the same WAN interface/IPaddress. I saw help pages about the PeerID and LocalID, but my tries aren't okay. I have an phase1 error. I put a PeerID on the Authentication frame, and I reported it on the LocalID in the Forticlient configuration as I understand. Is it okay ? What about the LocalID on the Fortigate ?

 

Presse-papier01.png
 
The existing Client VPN has this configuration :

Presse-papier02.png

Is this configuration a problem ?

 

Labels:
3496
0 Kudos
1 Solution
EricS
New Contributor II

Created on ‎02-12-2025 08:07 AM

We worked on this problem with a colleague. We had to modify the configuration in CLI and add two "set eap" lines. We don't use at this time the PeerID/LocalID.

 

View solution in original post

3295
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎02-10-2025 11:07 AM

Which phase1 error do you have?

You can use debug command to see more details.

diagnose vpn ike log-filter YOUR-FILTER
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

If I'm not wrong you don't need to configure Local ID on FGT, since it is not for FortiClient but for FGT to FGT tunnel.

AEK
AEK
3465
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-10-2025 03:59 PM

I'm assuming the error you are getting is "gw validation failed" in IKE debugging.
When you use IKEv2 for remote access/dialup, you need to add a few commands in CLI to enable EAP as in the KB.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-fix-gw-validation-failed-error-IPse...

Local ID on the FGT side can be configured under phase 1 proposal section. However, since FortiClient (7.4.x) side can not configure Peer ID, there is no use for the FGT side's local ID as long as you use FortiClient.

Also, with FGT/FortiClient, those peer ID/local ID are just a string. It doesn't have to be an IP address.

Toshi


3443
dingjerry_FTNT
Staff
Staff

Created on ‎02-10-2025 04:14 PM

Hi @EricS ,

 

I assume that the first screenshot is for FCT and the second one is for FortiGate IPSec VPN.

 

The FCT is using IKE v2 and FGT is using IKE v1.  They do not match.

 

 The following is from my FCT 7.2:

 

 

FCT_LocalID.png

 

I can confirm that this is the same for FCT 7.4.

 

If you are using EMS, the following screenshot is from EMS:

 

FCT_LocalID_02.png

Regards,

Jerry
3439
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎02-10-2025 04:15 PM

@EricS , so I am not sure why there is no Local ID field in either of your screenshots which makes me confused about which one is for FCT.

Regards,

Jerry
3435
EricS
New Contributor II

Created on ‎02-11-2025 12:40 AM

@Toshi_Esumi @AEK The actual error in client is No response from the peer, phase1 retransmit reaches maximum count. In VPN FG log, the error is "progress IPsec phase 1" during SA_INIT.

 

@dingjerry_FTNTThe screenshots concern two differents IPSec VPN for Forticlient. The second is for information.

3390
0 Kudos
AEK
SuperUser
SuperUser
In response to EricS

Created on ‎02-11-2025 03:04 AM

Can you share the full debug log from FG side? With filter please, you can filter by client IP.

diagnose vpn ike log-filter YOUR-FILTER
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

AEK
AEK
3367
dingjerry_FTNT
Staff
Staff
In response to EricS

Created on ‎02-11-2025 06:53 AM

Hi @EricS ,

 

Thanks for the information. 

 

Suggestions:

 

1) Please provide screenshots of your FCT configurations, similar to those I provided.  I suspect that your FCT did not configure the correct settings matching the second tunnel.

 

2) For the second IPSec VPN tunnel, it's better also to enable the "Specific Peer ID" and assign a different Peer ID there.

 

3) If everything is good, please use the debug commands provided by @AEK  to collect some outputs.

 

NOTE:

 

The "ike log-filter" command may be different since you did not tell us what your FortiOS version is. You have to use the question mark to tell the corerct syntax of the command.

Regards,

Jerry
3347
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎02-12-2025 05:22 AM

basically peer ids are used for identification.

You could (as I see you did in your  screenshots) limit one side to accept only a specfic id. Then the other side of the tunnel must have exactly this id as local id. Otherways the connection will be refused.

This is also very handy if you happen to have multiple ipsecs on one interface.

 

If you get a "no response from peer" you should check the ike log on the othe end to see what happened.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3316
0 Kudos
EricS
New Contributor II

Created on ‎02-12-2025 08:07 AM

We worked on this problem with a colleague. We had to modify the configuration in CLI and add two "set eap" lines. We don't use at this time the PeerID/LocalID.

 

3296
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.