Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Authenticating remote peers and clients : Enabling VPN access by peer identifier
  
Enabling VPN access by peer identifier
Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you can require that remote peers or clients have a particular peer ID. This adds another piece of information that is required to gain access to the VPN. More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier.
A peer ID, also called local ID, can be up to 63 characters long containing standard regular expression characters. Local ID is set in phase1 Aggressive Mode configuration.
You cannot require a peer ID for a remote peer or client that uses a pre-shared key and has a static IP address.
To authenticate remote peers or dialup clients using one peer ID
1. At the FortiGate VPN server, go to VPN > IPsec > Auto Key (IKE).
2. In the list, select a phase 1 configuration and edit its parameters.
3. Select Aggressive mode in any of the following cases:
the FortiGate VPN server authenticates a FortiGate dialup client that uses a dedicated tunnel
a FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service
FortiGate/FortiClient dialup clients sharing the same preshared key and local ID connect through the same VPN tunnel
4. Select Accept this peer ID and type the identifier into the corresponding field.
5. Select OK.
To assign an identifier (local ID) to a FortiGate unit
Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or dialup client.
1. Go to VPN > IPsec > Auto Key (IKE).
2. In the list, select a phase 1 configuration and edit its parameters.
3. Select Advanced.
4. In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.
5. Set Mode to Aggressive if any of the following conditions apply:
The FortiGate unit is a dialup client that will use a unique ID to connect to a FortiGate dialup server through a dedicated tunnel.
The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service, and will use a unique ID to connect to the remote VPN peer through a dedicated tunnel.
The FortiGate unit is a dialup client that shares the specified ID with multiple dialup clients to connect to a FortiGate dialup server through the same tunnel.
6. Select OK.
To configure the FortiClient application
Follow this procedure to add a peer ID to an existing FortiClient configuration:
1. Start the FortiClient application.
2. Go to VPN > Connections, select the existing configuration.
3. Select Advanced > Edit > Advanced.
4. Under Policy, select Config.
5. In the Local ID field, type the identifier that will be shared by all dialup clients. This value must match the Accept this peer ID value that you specified previously in the phase 1 gateway configuration on the FortiGate unit.
6. Select OK to close all dialog boxes.
7. Configure all dialup clients the same way using the same preshared key and local ID.