Hot!Site2Site IPSec no remote ID Option

Author
righter
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/19 04:52:12
  • Status: offline
2021/04/13 22:49:59 (permalink)
0

Site2Site IPSec no remote ID Option

Hi
 
Why does fortigate doesn't have a Peer-ID option in the IPSec Site2Site Phase 1 Configuration?
This is a normal option which doesn't have to be same value as the Remote IP.
Every other firewall which I used before was able to configure this value
- Cisco
- Sophos SG/XG
- Sonicwall
- pfSense
- vmware Edge
- Zyxel
 
We need this option because on the other site we have to connect multiple fortigates to the same firewall (not a fortigate).
Which normally could be identified seperately with the remote-id option. If this option is not available we have to use the wildcard * in that field.
 
 
 

Attached Image(s)

#1

6 Replies Related Threads

    brycemd
    Gold Member
    • Total Posts : 126
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Site2Site IPSec no remote ID Option 2021/04/14 08:57:11 (permalink)
    0
    To my knowledge it will effectively rely on IPs as it's ID in ike2/ike1 main mode, local-ID is configurable while remote is not in ike2/ike1 main. Which I've never seen be a problem personally unless we are getting into double NAT scenarios. 
     
    Personally, I don't really see the problem as I never use ID's for site to site unless it's a weird NATing scenario, but if you absolutely need to identify remote peer ID's you could make it an ike1 aggressive tunnel.
     
    Though, from your description it sounds like you more want to specify the remote-id on the other end, which you can do and enter the local-id on the fortigate side(though again, I don't really see a need for)
    post edited by brycemd - 2021/04/14 09:07:08
    #2
    righter
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/19 04:52:12
    • Status: offline
    Re: Site2Site IPSec no remote ID Option 2021/04/14 09:08:55 (permalink)
    0
    @brycemd
     
    Yes but why is every vendor handling this different and fortigate has not the option for that?
    you're right normally you use the IP as ID but we had some special HA VPN Configuration which we had to use a string as a ID.

    IKEv1 is not an option because it's not state of the art anymore.
     
    Our Problem:
     
    Forti Site 1: IP 2.2.2.2, Local subnet 10.2.0.0/24
    Forti Site 2: IP 3.3.3.3, Local subnet 10.3.0.0/24
     
    The other sites which connects both Sites on a NSX Edge needs the remote ID.
    Config 1: Remote ID *, Remote IP 2.2.2.2, Remote net 10.2.0.0/24
    Config 1: Remote ID *, Remote IP 3.3.3.3, Remote net 10.3.0.0/24
     
    But you cannot use * as a remote id twice because it has to be unique.
    So I cannot setup two tunnels to 2 Fortigates because they don't support the remote ID.
     
     
     
     
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2560
    • Scores: 251
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Site2Site IPSec no remote ID Option 2021/04/14 09:18:52 (permalink)
    0
    I think, since I didn't have to do this before, in case the FGT is a remote side while the other side (another vendor's equipment) is HUB side, you can use "Custom" instead of site-to-site, or use CLI, to set aggressive mode so that you can specify peerid. I might have done this long time ago (more than 10yrs) but it was not interface mode at that time and command line must be quite different now.
    I would open a ticket at TAC to get help. Bottom line is it's doable, I think.
    #4
    brycemd
    Gold Member
    • Total Posts : 126
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Site2Site IPSec no remote ID Option 2021/04/14 09:52:54 (permalink)
    0
    But isn't that remote-id from the other end's perspective? Specify the local-id on the fortigate to match? remote-id does not match with remote-id
     
     
    Fortigate                                                   |     NSX
    Local ID - Match with other side remote       |      Remote ID - match with other side local
    Remote ID - accepts any                            |    Local ID - whatever you want
    post edited by brycemd - 2021/04/14 10:15:39
    #5
    marchand
    Bronze Member
    • Total Posts : 46
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/11 11:51:18
    • Status: offline
    Re: Site2Site IPSec no remote ID Option 2021/04/14 10:07:49 (permalink)
    0
    You can specify peer-id for ipsec ikev2 in Fortigate if you set-up your "Remote gateway" as Dialup User
    #6
    emnoc
    Expert Member
    • Total Posts : 6097
    • Scores: 414
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Site2Site IPSec no remote ID Option 2021/04/14 12:17:22 (permalink)
    0
    if the device is dynamic peer-id can be used. To the original-poster if you use rsa signature you can defined peer-id by CN . That could be an alternative and a viable solution for you. Yes I agree , you should be-able to use local/remote IDs regardless and like almost every other vendor, forcepoint,junos,strongswan,palo,etc.......

    PCNSE 
    NSE 
    StrongSwan  
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5