In FortiOS 7.6, when multiple dialup IPsec VPNs are configured on the same FortiGate—especially in Aggressive Mode—FortiGate must identify which Phase 1 configuration a connecting client should match.
How FortiGate selects a dialup IPsec tunnel
For dialup VPNs:
The remote peer (user or device) does not have a fixed IP address
Multiple Phase 1 interfaces may exist on the HQ FortiGate
FortiGate uses identifying information sent during IKE Phase 1 to select the correct tunnel
Aggressive Mode behavior
Aggressive mode sends ID information in clear text during Phase 1
This allows FortiGate to match incoming peers to the correct Phase 1 configuration
Why Peer ID is the correct answer
C. Peer ID
Peer ID (also called IKE ID) is used to:
Identify the remote peer
Differentiate between multiple dialup tunnels
Common Peer ID formats:
FQDN
User FQDN
Key ID
FortiGate matches the received Peer ID against the Phase 1 configuration to select the correct tunnel
This is the documented and recommended method for:
Mapping users to different department tunnels
Supporting multiple dialup IPsec VPNs in aggressive mode
Why the other options are incorrect
A. Local GatewayIdentifies the local FortiGate interface/IP, not the remote user.
B. Dead Peer DetectionUsed only for tunnel health monitoring, not tunnel selection.
D. IKE Mode ConfigUsed for assigning IP addresses and pushing settings, not for selecting the Phase 1 tunnel.
Submit