Why does fortigate doesn't have a Peer-ID option in the IPSec Site2Site Phase 1 Configuration?
This is a normal option which doesn't have to be same value as the Remote IP.
Every other firewall which I used before was able to configure this value
- Sophos SG/XG
- vmware Edge
We need this option because on the other site we have to connect multiple fortigates to the same firewall (not a fortigate).
Which normally could be identified seperately with the remote-id option. If this option is not available we have to use the wildcard * in that field.
To my knowledge it will effectively rely on IPs as it's ID in ike2/ike1 main mode, local-ID is configurable while remote is not in ike2/ike1 main. Which I've never seen be a problem personally unless we are getting into double NAT scenarios.
Personally, I don't really see the problem as I never use ID's for site to site unless it's a weird NATing scenario, but if you absolutely need to identify remote peer ID's you could make it an ike1 aggressive tunnel.
Though, from your description it sounds like you more want to specify the remote-id on the other end, which you can do and enter the local-id on the fortigate side(though again, I don't really see a need for)
I think, since I didn't have to do this before, in case the FGT is a remote side while the other side (another vendor's equipment) is HUB side, you can use "Custom" instead of site-to-site, or use CLI, to set aggressive mode so that you can specify peerid. I might have done this long time ago (more than 10yrs) but it was not interface mode at that time and command line must be quite different now.
I would open a ticket at TAC to get help. Bottom line is it's doable, I think.
if the device is dynamic peer-id can be used. To the original-poster if you use rsa signature you can defined peer-id by CN . That could be an alternative and a viable solution for you. Yes I agree , you should be-able to use local/remote IDs regardless and like almost every other vendor, forcepoint,junos,strongswan,palo,etc.......
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.