Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
righter
New Contributor

Site2Site IPSec no remote ID Option

Hi

 

Why does fortigate doesn't have a Peer-ID option in the IPSec Site2Site Phase 1 Configuration? This is a normal option which doesn't have to be same value as the Remote IP.

Every other firewall which I used before was able to configure this value

- Cisco

- Sophos SG/XG - Sonicwall

- pfSense

- vmware Edge

- Zyxel

 

We need this option because on the other site we have to connect multiple fortigates to the same firewall (not a fortigate). Which normally could be identified seperately with the remote-id option. If this option is not available we have to use the wildcard * in that field.

 

 

 

6 REPLIES 6
brycemd
Contributor II

To my knowledge it will effectively rely on IPs as it's ID in ike2/ike1 main mode, local-ID is configurable while remote is not in ike2/ike1 main. Which I've never seen be a problem personally unless we are getting into double NAT scenarios. 

 

Personally, I don't really see the problem as I never use ID's for site to site unless it's a weird NATing scenario, but if you absolutely need to identify remote peer ID's you could make it an ike1 aggressive tunnel.

 

Though, from your description it sounds like you more want to specify the remote-id on the other end, which you can do and enter the local-id on the fortigate side(though again, I don't really see a need for)

righter

@brycemd

 

Yes but why is every vendor handling this different and fortigate has not the option for that?

you're right normally you use the IP as ID but we had some special HA VPN Configuration which we had to use a string as a ID. IKEv1 is not an option because it's not state of the art anymore.

 

Our Problem:

 

Forti Site 1: IP 2.2.2.2, Local subnet 10.2.0.0/24 Forti Site 2: IP 3.3.3.3, Local subnet 10.3.0.0/24

 

The other sites which connects both Sites on a NSX Edge needs the remote ID.

Config 1: Remote ID *, Remote IP 2.2.2.2, Remote net 10.2.0.0/24

Config 1: Remote ID *, Remote IP 3.3.3.3, Remote net 10.3.0.0/24

 

But you cannot use * as a remote id twice because it has to be unique. So I cannot setup two tunnels to 2 Fortigates because they don't support the remote ID.

 

 

 

 

Toshi_Esumi
SuperUser
SuperUser

I think, since I didn't have to do this before, in case the FGT is a remote side while the other side (another vendor's equipment) is HUB side, you can use "Custom" instead of site-to-site, or use CLI, to set aggressive mode so that you can specify peerid. I might have done this long time ago (more than 10yrs) but it was not interface mode at that time and command line must be quite different now.

I would open a ticket at TAC to get help. Bottom line is it's doable, I think.

brycemd

But isn't that remote-id from the other end's perspective? Specify the local-id on the fortigate to match? remote-id does not match with remote-id

 

 

Fortigate                                                   |     NSX

Local ID - Match with other side remote       |      Remote ID - match with other side local

Remote ID - accepts any                            |    Local ID - whatever you want

marchand
New Contributor III

You can specify peer-id for ipsec ikev2 in Fortigate if you set-up your "Remote gateway" as Dialup User

emnoc
Esteemed Contributor III

if the device is dynamic peer-id can be used. To the original-poster if you use rsa signature you can defined peer-id by CN . That could be an alternative and a viable solution for you. Yes I agree , you should be-able to use local/remote IDs regardless and like almost every other vendor, forcepoint,junos,strongswan,palo,etc.......

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors