Hi
Why does fortigate doesn't have a Peer-ID option in the IPSec Site2Site Phase 1 Configuration? This is a normal option which doesn't have to be same value as the Remote IP.
Every other firewall which I used before was able to configure this value
- Cisco
- Sophos SG/XG - Sonicwall
- pfSense
- vmware Edge
- Zyxel
We need this option because on the other site we have to connect multiple fortigates to the same firewall (not a fortigate). Which normally could be identified seperately with the remote-id option. If this option is not available we have to use the wildcard * in that field.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To my knowledge it will effectively rely on IPs as it's ID in ike2/ike1 main mode, local-ID is configurable while remote is not in ike2/ike1 main. Which I've never seen be a problem personally unless we are getting into double NAT scenarios.
Personally, I don't really see the problem as I never use ID's for site to site unless it's a weird NATing scenario, but if you absolutely need to identify remote peer ID's you could make it an ike1 aggressive tunnel.
Though, from your description it sounds like you more want to specify the remote-id on the other end, which you can do and enter the local-id on the fortigate side(though again, I don't really see a need for)
@brycemd
Yes but why is every vendor handling this different and fortigate has not the option for that?
you're right normally you use the IP as ID but we had some special HA VPN Configuration which we had to use a string as a ID. IKEv1 is not an option because it's not state of the art anymore.
Our Problem:
Forti Site 1: IP 2.2.2.2, Local subnet 10.2.0.0/24 Forti Site 2: IP 3.3.3.3, Local subnet 10.3.0.0/24
The other sites which connects both Sites on a NSX Edge needs the remote ID.
Config 1: Remote ID *, Remote IP 2.2.2.2, Remote net 10.2.0.0/24
Config 1: Remote ID *, Remote IP 3.3.3.3, Remote net 10.3.0.0/24
But you cannot use * as a remote id twice because it has to be unique. So I cannot setup two tunnels to 2 Fortigates because they don't support the remote ID.
I think, since I didn't have to do this before, in case the FGT is a remote side while the other side (another vendor's equipment) is HUB side, you can use "Custom" instead of site-to-site, or use CLI, to set aggressive mode so that you can specify peerid. I might have done this long time ago (more than 10yrs) but it was not interface mode at that time and command line must be quite different now.
I would open a ticket at TAC to get help. Bottom line is it's doable, I think.
But isn't that remote-id from the other end's perspective? Specify the local-id on the fortigate to match? remote-id does not match with remote-id
Fortigate | NSX
Local ID - Match with other side remote | Remote ID - match with other side local
Remote ID - accepts any | Local ID - whatever you want
You can specify peer-id for ipsec ikev2 in Fortigate if you set-up your "Remote gateway" as Dialup User
if the device is dynamic peer-id can be used. To the original-poster if you use rsa signature you can defined peer-id by CN . That could be an alternative and a viable solution for you. Yes I agree , you should be-able to use local/remote IDs regardless and like almost every other vendor, forcepoint,junos,strongswan,palo,etc.......
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.