Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jm-barreto
New Contributor III

Site to Site Ipsec vpn peer id

Greetings

I am new to Fortigate and have a lab to connect two sites using IPsec VPN. I have used Sonicwall before and am trying to learn what this type of setup would look like in Fortigate.

So far, I have been able to configure it using the guides and the cookbook with no problems. But with Sonicwall, I could do the VPN tunnel using the Firewall identifier (user-defined name) instead of the wan IP. I saw that FortiGate uses the peer id, but I have to specify the remote wan IP.

This feature in Sonicwall solved the problem of knowing the IP of the remote site since I transported my clients from their remote site to their main site. Still, the internet service belongs to the client, and I often do not have access to know their wan IP to be able to establish the VPN tunnel.

And I'd like to see if there is something similar in Fortigate to perform that type of configuration.

JBC
JBC
1 Solution
gfleming
Staff
Staff

Peer ID is useful in situations where you have multiple VPN tunnels coming from the same source IP and you want to differentiate them.

 

In your situation—if i understand you correctly— you probably just need to enable dynamic peering on the hub/central Fortigate. And now the remote firewalls can have dynamic/changing IP addresses and will still connect.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-...

Cheers,
Graham

View solution in original post

7 REPLIES 7
gfleming
Staff
Staff

Peer ID is useful in situations where you have multiple VPN tunnels coming from the same source IP and you want to differentiate them.

 

In your situation—if i understand you correctly— you probably just need to enable dynamic peering on the hub/central Fortigate. And now the remote firewalls can have dynamic/changing IP addresses and will still connect.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-...

Cheers,
Graham
jm-barreto
New Contributor III

Thanks

 

This seems like an very close approach to what we have now. I'm going to test this.

Another question, How many VPN connection of this type of configuration will a Fortigate 601 E support? Spec sheet said 2000 gateway to gateway. Its that correct?

JBC
JBC
gfleming

That would be correct. Note this is a maximum value. If you are running other services on the FortiGate you'll have to assume this value is much lower.

Cheers,
Graham
jm-barreto
New Contributor III

@gflemingThank you very much for this information. I was able to get a tunnel between main site and 1 remote site using this configuration. Now i will start to add other remote side to see if this is a solution for us.

Also, can i use OSPF on this type of configuration? I have other lab that i do ospf on ipsec tunnel but since this is a hub/spoke scenario i was wondering if i can do ospf now. I assume it will be like a ospf broadcast?

JBC
JBC
gfleming

Yes absolutely possible. You will need to assign an IP address on the tunnel interfaces so they can communicate with each other. And it'll be a point-to-point network, no broadcast.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-OSPF-with-IPSec-VPN-for-network-redundancy...

Cheers,
Graham
jm-barreto
New Contributor III

Hi, i don't know if you remember this case we talked a while ago. Im having trouble establishing ospf over the vpn tunnel interface, using the ipsec dialup guide and the ospf over ipsec guide that you provided me. 

 

The vpn is up and i can ping between the tunnel interfaces but the ospf doesn't come up. Timers and area are the same. 

 

I will appreciate any help you can provide

 

Thanks 

JBC
JBC
gfleming

Could be a number of things. Did you configure it exactly like the guide?

 

What are your Phase2 selectors? Are you using auto-negotiate?

 

Can you show output of "show router ospf" and "show vpn ipsec phase2-interface"?

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors