Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jomfra
New Contributor

where to input the remote identier in FortiGate.

Hello Expert,

 

I have configure  a "vpn"  tunnel between FortiGate 80F a Palto Alto device.

The wan interface of the Palto Alto device is using private ip address for the wan interface because the another device on the network is use for full internet access

 

The public ip address is 81.135.253.181

        private ip addess 192.168.190.2           (remote identier)

 

 I do not know where in fortigate I must input this ip address

 

1 Solution
pminarik
Staff
Staff

Assuming you're setting it up as a site-to-site tunnel (type=static; not a dialup/dynamic hub), and are using PSK authentication (based on the screenshots you posted).

 

1, If you want to set which ID the FortiGate should accept:

This is not configurable. With PSK authentication and site-to-site tunnel, the FortiGate does not check the other side's ID. Anything is accepted. You merely need to ensure that the remote-gw IP is the actual public IP from which the other side's packets will come.

 

2, If you want ot set which ID the FortiGate should send to the other side:

config vpn ipsec phase1-interface
edit "<your-tunnel-name>"
set localid-type address #IP address format; or any other as desired
set localid <IP address>
end

 

 

[ corrections always welcome ]

View solution in original post

7 REPLIES 7
FortiMax_it
Contributor

Hi, here:

FortiMax_it_0-1666336786857.png


For more details edit the VPN via CLI: config vpn ipsec phase1-interface

jomfra

Hello Expert,

 

Sorry for the tardy response but I am vacation hence will test your proposal when I return.

Will revert with an update later

 

Regards

jomfra

Hello FortiMax_it

 

Sorry for the late response I was on vacation  i using the following version 

jomfra_0-1667748682786.png

 

jomfra_1-1667749524444.png

I am only getting the peer id option if I using  ike v1 but ike v2 is required for vpn connection to palo Alto

 

jomfra_3-1667749738110.png

Unsure how to get the peer id option when using ike v2

 

Regards

 

 

FortiMax_it

Hi, no problem. I have firmware 6.2.12 but nothing should change. If you select Dialup User as the Remote gateway, the peer-id always remains visible.

FortiMax_it_0-1667750956204.pngFortiMax_it_1-1667750974924.png

 

jomfra

Hello FortiMax,

 I am unsure why we have to select Dialup User as the Remote gateway, I have created an ipsec vpn from Fortigate to Palo alto .

I would like to send the Fortigate configs to you but I am not seeing any option on the portal to allow upload of a file.

Could assist in the regard.

 

Thank you

pminarik
Staff
Staff

Assuming you're setting it up as a site-to-site tunnel (type=static; not a dialup/dynamic hub), and are using PSK authentication (based on the screenshots you posted).

 

1, If you want to set which ID the FortiGate should accept:

This is not configurable. With PSK authentication and site-to-site tunnel, the FortiGate does not check the other side's ID. Anything is accepted. You merely need to ensure that the remote-gw IP is the actual public IP from which the other side's packets will come.

 

2, If you want ot set which ID the FortiGate should send to the other side:

config vpn ipsec phase1-interface
edit "<your-tunnel-name>"
set localid-type address #IP address format; or any other as desired
set localid <IP address>
end

 

 

[ corrections always welcome ]
jomfra

Hello Pminarik,

 

Thanks for the clarification.

 

Regards

Top Kudoed Authors