- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to set up FortiClient Peer ID?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up FortiClient Peer ID?
Hello! I want to configure FortiClients to connect to a FortiGate 100D using IPSEC VPN, but so that different users authenticate against different AD-servers. Which means I can' t use " Accept any peer ID" in Phase1 configuration, otherwise all dialup clients will fall into the first policy and/or VPN.
If I use Shrewsoft VPN Client, then it has been OK, some clients already authenticate and use the VPN, because in Shrew client there is a special place where to enter that common peer ID.
The manual says (fortigate-ipsec-50.pdf, page 45):
-------
To configure FortiClient - pre-shared key and peer ID
1. Start the FortiClient Endpoint Security application.
2. Go to VPN > Connections, select the existing configuration.
3. Select Advanced > Edit.
Auto Key phase 1 parameters Page 45 IPsec VPN for FortiOS 5.0
4. In the Preshared Key field, type the FortiGate password that belongs to the dialup client (for example, 1234546).
The user account password will be used as the preshared key.
5. Select Advanced.
6. Under Policy, select Config.
7. In the Local ID field, type the FortiGate user name that you assigned previously to the dialup
client (for example, FortiC1ient1).
8. Select OK to close all dialog boxes.
Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.
-------
But there is no " Advanced" , nor " Advanced\Edit" , nor " Advanced\Policy" as suggested by this instruction. I just upgraded to FortiClient 5.2 but that menu didn' t appear (and Register to FortiGate button doesn' t work anymore). I would gladly use these if they were there. FortiClient is currently not registered to a FortiGate so it doesn' t have any policy set. My goal was to use one and the same peer ID for all people belonging to one and the same company and use Xauth+LDAP to authenticate them based on their AD credentials against their own AD-server.
I also thought, maybe I shall use " Accept per ID in dialup group" and select that Xauth group, but that group is not in the list for some unknown reason.
If there is somebody having faced this and solved it, it would be nice to know.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah just backup up the config, edit the cfg and add the localpeer & restore it.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Echo,
I can' t speak for 5.2, but 4.3 and 5.0, set the peerID in phase1 of the VPN tunnel on the Fortinet, then add that same ID into the config file of the client (look for a <localid /> line, then edit it to read
<localid>MyPeerID</localid>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for this information! I had no idea of this configuration file before, but I could export it, change it, import it, and could get the VPN connected. Also, the router' s software was upgraded to 5.2 in the meantime and that also helped because LDAP authentication over another permanent IPSEC tunnel didn' t work before.
Still, it would be easier to get rid of modifying the connection file, but even though I could choose the appropriate group for peer-id in the router, this change was not applied because of a nonsense red error " -1: value out of range" or something like that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for information that, as my college found out, FortiClient 5.2 latest version has peer id setting for the new ipsec vpn also in the GUI part. That makes it all easier.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
echo wrote:in MAC version (5.2.2.364) there is no "Advanced" option in GUI.
Just for information that, as my college found out, FortiClient 5.2 latest version has peer id setting for the new ipsec vpn also in the GUI part. That makes it all easier.
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There used to be an " Advanced" section where you could set all parameters manually. Last version that I' ve checked that had this is 4.3.5.
Forticlients after that and before v5.2 come with a VPNEditor.exe (in the archive " VPNtools" ). This works as well.
v5.2 has the editor integrated.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Yeah just backup up the config, edit the cfg and add the localpeer & restore it.
Great workaround.
Thanks!
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
Related Posts
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.