Technical Tip: How to create a Full Mesh IPsec VPN with multiple ISP connections per FortiGate
Description
This article describes how to create a fully-meshed VPN with the VPN Manager feature on FortiManager for FortiGates with multiple ISP lines.
Scope
FortiManager.
Solution
Having a fully redundant IPsec VPN between multiple FortiGates with multiple ISP connections can be a complex undertaking.
For just two FortiGates with two ISP links each, this would be a total of 4 Tunnels. For three FortiGates with two ISP links each, this would already be 12, and at 5 FortiGates, it would be 40.
FortiManager VPN Manager can assist in this as follows.
Preparation:
- All FortiGates that should make up the mesh need to be added to the community, and their WAN interfaces should have either a static IP or a DDNS entry and need to be mapped to ADOM interfaces (this is done automatically when policies are imported from FortiGates).
- All FortiGates should be in the same firmware version so they can be managed in the same ADOM.
- VPN Manager functionality needs to be enabled.
Note: VPN Manager has some limitations compared to the IPsec templates.
Example environment:
FortiManager in firmware version 7.6.5, ADOM used in the lab 'root'.
Local-FortiGate, with interfaces internal1 and internal2:
- Internal1 mapped to normalized interface WAN1, IP 10.200.1.1/24.
- Internal2 mapped to normalized interface port2, IP 10.200.2.1/24.
- Local protected subnet is address 'LOCAL_SUBNET'.
Remote-FortiGate, with interfaces port4 and port5:
- Port4 mapped to policy interface wan1, IP 10.200.3.1/24.
- Port5 mapped to policy interface port5, IP 10.200.4.1/24.
- Local protected subnet is address 'REMOTE_SUBNET'.
Steps:
- Under VPN Manager -> Create New: create a Mesh VPN community by using the 'Site to Site' option. Set encryption, Diffie-Hellman groups, preshared keys, and key-lifetime as desired. Under Advanced Options, enable 'Inter-VDOM'. This allows adding multiple interfaces of the same FortiGate to the VPN community.
- Select the new community and start adding the FortiGates to the VPN community.
Select 'Add Managed Gateway' and add the FortiGates. The protected subnets selected here will form the basis of routing within the VPN mesh later. Select the proper VPN interface (one ISP interface) and then save this. Repeat this for all ISP interfaces on the FortiGate, with the same protected subnets. Afterwards, the VPN community should look like this:
In the example above, WAN1 (mapped to internal1) and internal2 (mapped to port2) are added for Local-FortiGate, and WAN1 (mapped to port4) and port5 (mapped to port5) are added for Remote-FortiGate. LOCAL_SUBNET is selected as a protected subnet for Local-FortiGate (as this is the FortiGate's local network that should be able to access the VPN). REMOTE_SUBNET is selected as a protected subnet for Remote-FortiGate (as this is the FortiGate's local network that should be able to access the VPN). The protected subnets will form the routing destinations when the tunnels are pushed to the FortiGates.
- This can now be installed on the FortiGates via the Install Wizard or Re-install Policy. FortiManager will not push tunnels between individual interfaces on one FortiGate. Phase1, system interface entries, zone, phase2 and routing will be configured automatically if the VPN community has default settings. If routing or zone settings were modified in the VPN community, the settings might be missing.
Note: At this point, no policies have been created for the VPN tunnels, so while the tunnels themselves will exist, no traffic can enter them yet. Afterwards, the following should be visible in FortiManager, under Device Manager (VPN display might need to be enabled under Tools/Display options):
Local-FortiGate IPsec phase1 after installation:
Remote-FortiGate IPsec phase1 after installation:
Installation report on Local-FortiGate (with default mesh VPN community and Inter-VDOM enabled).
Starting log (run on device).
Installation of phase1 and system interface entries:
Installation of zone:
Installation of phase2:
Installation of routing entries (routing destinations based on protected subnets set in the VPN manager).
Installation of phase1 and system interface entries:
Start installing
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_2_3"
Local-FortiGate (test_all_2_3) set interface "internal2"
Local-FortiGate (test_all_2_3) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_3) set dhgrp 20 21
Local-FortiGate (test_all_2_3) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_2_3) set keylife 28800
Local-FortiGate (test_all_2_3) set peertype any
Local-FortiGate (test_all_2_3) set remote-gw 10.200.3.1
Local-FortiGate (test_all_2_3) set net-device disable
Local-FortiGate (test_all_2_3) set add-gw-route enable
Local-FortiGate (test_all_2_3) set psksecret *********************
Local-FortiGate (test_all_2_3) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_2_3"
Local-FortiGate (test_all_2_3) set vdom "root"
Local-FortiGate (test_all_2_3) set type tunnel
Local-FortiGate (test_all_2_3) set snmp-index 129
Local-FortiGate (test_all_2_3) set interface "internal2"
Local-FortiGate (test_all_2_3) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_2_4"
Local-FortiGate (test_all_2_4) set interface "internal2"
Local-FortiGate (test_all_2_4) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_4) set dhgrp 20 21
Local-FortiGate (test_all_2_4) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_2_4) set keylife 28800
Local-FortiGate (test_all_2_4) set peertype any
Local-FortiGate (test_all_2_4) set remote-gw 10.200.4.1
Local-FortiGate (test_all_2_4) set net-device disable
Local-FortiGate (test_all_2_4) set add-gw-route enable
Local-FortiGate (test_all_2_4) set psksecret *********************
Local-FortiGate (test_all_2_4) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_2_4"
Local-FortiGate (test_all_2_4) set vdom "root"
Local-FortiGate (test_all_2_4) set type tunnel
Local-FortiGate (test_all_2_4) set snmp-index 130
Local-FortiGate (test_all_2_4) set interface "internal2"
Local-FortiGate (test_all_2_4) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_1_3"
Local-FortiGate (test_all_1_3) set interface "internal1"
Local-FortiGate (test_all_1_3) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_3) set dhgrp 20 21
Local-FortiGate (test_all_1_3) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_1_3) set keylife 28800
Local-FortiGate (test_all_1_3) set peertype any
Local-FortiGate (test_all_1_3) set remote-gw 10.200.3.1
Local-FortiGate (test_all_1_3) set net-device disable
Local-FortiGate (test_all_1_3) set add-gw-route enable
Local-FortiGate (test_all_1_3) set psksecret *********************
Local-FortiGate (test_all_1_3) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_1_3"
Local-FortiGate (test_all_1_3) set vdom "root"
Local-FortiGate (test_all_1_3) set type tunnel
Local-FortiGate (test_all_1_3) set snmp-index 131
Local-FortiGate (test_all_1_3) set interface "internal1"
Local-FortiGate (test_all_1_3) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_1_4"
Local-FortiGate (test_all_1_4) set interface "internal1"
Local-FortiGate (test_all_1_4) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_4) set dhgrp 20 21
Local-FortiGate (test_all_1_4) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_1_4) set keylife 28800
Local-FortiGate (test_all_1_4) set peertype any
Local-FortiGate (test_all_1_4) set remote-gw 10.200.4.1
Local-FortiGate (test_all_1_4) set net-device disable
Local-FortiGate (test_all_1_4) set add-gw-route enable
Local-FortiGate (test_all_1_4) set psksecret *********************
Local-FortiGate (test_all_1_4) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_1_4"
Local-FortiGate (test_all_1_4) set vdom "root"
Local-FortiGate (test_all_1_4) set type tunnel
Local-FortiGate (test_all_1_4) set snmp-index 132
Local-FortiGate (test_all_1_4) set interface "internal1"
Local-FortiGate (test_all_1_4) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_2_3"
Local-FortiGate (test_all_2_3) set interface "internal2"
Local-FortiGate (test_all_2_3) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_3) set dhgrp 20 21
Local-FortiGate (test_all_2_3) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_2_3) set keylife 28800
Local-FortiGate (test_all_2_3) set peertype any
Local-FortiGate (test_all_2_3) set remote-gw 10.200.3.1
Local-FortiGate (test_all_2_3) set net-device disable
Local-FortiGate (test_all_2_3) set add-gw-route enable
Local-FortiGate (test_all_2_3) set psksecret *********************
Local-FortiGate (test_all_2_3) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_2_3"
Local-FortiGate (test_all_2_3) set vdom "root"
Local-FortiGate (test_all_2_3) set type tunnel
Local-FortiGate (test_all_2_3) set snmp-index 129
Local-FortiGate (test_all_2_3) set interface "internal2"
Local-FortiGate (test_all_2_3) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_2_4"
Local-FortiGate (test_all_2_4) set interface "internal2"
Local-FortiGate (test_all_2_4) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_4) set dhgrp 20 21
Local-FortiGate (test_all_2_4) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_2_4) set keylife 28800
Local-FortiGate (test_all_2_4) set peertype any
Local-FortiGate (test_all_2_4) set remote-gw 10.200.4.1
Local-FortiGate (test_all_2_4) set net-device disable
Local-FortiGate (test_all_2_4) set add-gw-route enable
Local-FortiGate (test_all_2_4) set psksecret *********************
Local-FortiGate (test_all_2_4) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_2_4"
Local-FortiGate (test_all_2_4) set vdom "root"
Local-FortiGate (test_all_2_4) set type tunnel
Local-FortiGate (test_all_2_4) set snmp-index 130
Local-FortiGate (test_all_2_4) set interface "internal2"
Local-FortiGate (test_all_2_4) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_1_3"
Local-FortiGate (test_all_1_3) set interface "internal1"
Local-FortiGate (test_all_1_3) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_3) set dhgrp 20 21
Local-FortiGate (test_all_1_3) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_1_3) set keylife 28800
Local-FortiGate (test_all_1_3) set peertype any
Local-FortiGate (test_all_1_3) set remote-gw 10.200.3.1
Local-FortiGate (test_all_1_3) set net-device disable
Local-FortiGate (test_all_1_3) set add-gw-route enable
Local-FortiGate (test_all_1_3) set psksecret *********************
Local-FortiGate (test_all_1_3) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_1_3"
Local-FortiGate (test_all_1_3) set vdom "root"
Local-FortiGate (test_all_1_3) set type tunnel
Local-FortiGate (test_all_1_3) set snmp-index 131
Local-FortiGate (test_all_1_3) set interface "internal1"
Local-FortiGate (test_all_1_3) next
Local-FortiGate (interface) end
Local-FortiGate config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) edit "test_all_1_4"
Local-FortiGate (test_all_1_4) set interface "internal1"
Local-FortiGate (test_all_1_4) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_4) set dhgrp 20 21
Local-FortiGate (test_all_1_4) set proposal aes128-sha256 aes256-sha256
Local-FortiGate (test_all_1_4) set keylife 28800
Local-FortiGate (test_all_1_4) set peertype any
Local-FortiGate (test_all_1_4) set remote-gw 10.200.4.1
Local-FortiGate (test_all_1_4) set net-device disable
Local-FortiGate (test_all_1_4) set add-gw-route enable
Local-FortiGate (test_all_1_4) set psksecret *********************
Local-FortiGate (test_all_1_4) next
Local-FortiGate (phase1-interface) end
Local-FortiGate config system interface
Local-FortiGate (interface) edit "test_all_1_4"
Local-FortiGate (test_all_1_4) set vdom "root"
Local-FortiGate (test_all_1_4) set type tunnel
Local-FortiGate (test_all_1_4) set snmp-index 132
Local-FortiGate (test_all_1_4) set interface "internal1"
Local-FortiGate (test_all_1_4) next
Local-FortiGate (interface) end
Installation of zone:
Local-FortiGate config system zone
Local-FortiGate (zone) edit "vpnmgr_test_all_mesh"
Local-FortiGate (vpnmgr_test_all_mesh) set interface "test_all_2_3" "test_all_2_4" "test_all_1_3" "test_all_1_4"
Local-FortiGate (vpnmgr_test_all_mesh) next
Local-FortiGate (zone) end
Local-FortiGate (zone) edit "vpnmgr_test_all_mesh"
Local-FortiGate (vpnmgr_test_all_mesh) set interface "test_all_2_3" "test_all_2_4" "test_all_1_3" "test_all_1_4"
Local-FortiGate (vpnmgr_test_all_mesh) next
Local-FortiGate (zone) end
Installation of phase2:
Local-FortiGate config vpn ipsec phase2-interface
Local-FortiGate (phase2-interface) edit "test_all_1_3_0"
Local-FortiGate (test_all_1_3_0) set phase1name "test_all_1_3"
Local-FortiGate (test_all_1_3_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_1_3_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_3_0) set dhgrp 20 21
Local-FortiGate (test_all_1_3_0) set keylifeseconds 1800
Local-FortiGate (test_all_1_3_0) next
Local-FortiGate (phase2-interface) edit "test_all_1_4_0"
Local-FortiGate (test_all_1_4_0) set phase1name "test_all_1_4"
Local-FortiGate (test_all_1_4_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_1_4_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_4_0) set dhgrp 20 21
Local-FortiGate (test_all_1_4_0) set keylifeseconds 1800
Local-FortiGate (test_all_1_4_0) next
Local-FortiGate (phase2-interface) edit "test_all_2_3_0"
Local-FortiGate (test_all_2_3_0) set phase1name "test_all_2_3"
Local-FortiGate (test_all_2_3_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_2_3_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_3_0) set dhgrp 20 21
Local-FortiGate (test_all_2_3_0) set keylifeseconds 1800
Local-FortiGate (test_all_2_3_0) next
Local-FortiGate (phase2-interface) edit "test_all_2_4_0"
Local-FortiGate (test_all_2_4_0) set phase1name "test_all_2_4"
Local-FortiGate (test_all_2_4_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_2_4_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_4_0) set dhgrp 20 21
Local-FortiGate (test_all_2_4_0) set keylifeseconds 1800
Local-FortiGate (test_all_2_4_0) next
Local-FortiGate (phase2-interface) end
Local-FortiGate (phase2-interface) edit "test_all_1_3_0"
Local-FortiGate (test_all_1_3_0) set phase1name "test_all_1_3"
Local-FortiGate (test_all_1_3_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_1_3_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_3_0) set dhgrp 20 21
Local-FortiGate (test_all_1_3_0) set keylifeseconds 1800
Local-FortiGate (test_all_1_3_0) next
Local-FortiGate (phase2-interface) edit "test_all_1_4_0"
Local-FortiGate (test_all_1_4_0) set phase1name "test_all_1_4"
Local-FortiGate (test_all_1_4_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_1_4_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_1_4_0) set dhgrp 20 21
Local-FortiGate (test_all_1_4_0) set keylifeseconds 1800
Local-FortiGate (test_all_1_4_0) next
Local-FortiGate (phase2-interface) edit "test_all_2_3_0"
Local-FortiGate (test_all_2_3_0) set phase1name "test_all_2_3"
Local-FortiGate (test_all_2_3_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_2_3_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_3_0) set dhgrp 20 21
Local-FortiGate (test_all_2_3_0) set keylifeseconds 1800
Local-FortiGate (test_all_2_3_0) next
Local-FortiGate (phase2-interface) edit "test_all_2_4_0"
Local-FortiGate (test_all_2_4_0) set phase1name "test_all_2_4"
Local-FortiGate (test_all_2_4_0) set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
Local-FortiGate (test_all_2_4_0) set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_2_4_0) set dhgrp 20 21
Local-FortiGate (test_all_2_4_0) set keylifeseconds 1800
Local-FortiGate (test_all_2_4_0) next
Local-FortiGate (phase2-interface) end
Installation of routing entries (routing destinations based on protected subnets set in the VPN manager).
Local-FortiGate config router static
Local-FortiGate (static) edit 1072741825
Local-FortiGate (1072741825) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741825) set priority 2
Local-FortiGate (1072741825) set device "test_all_2_3"
Local-FortiGate (1072741825) next
Local-FortiGate (static) edit 1072741826
Local-FortiGate (1072741826) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741826) set priority 2
Local-FortiGate (1072741826) set device "test_all_2_4"
Local-FortiGate (1072741826) next
Local-FortiGate (static) edit 1072741827
Local-FortiGate (1072741827) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741827) set priority 2
Local-FortiGate (1072741827) set device "test_all_1_3"
Local-FortiGate (1072741827) next
Local-FortiGate (static) edit 1072741828
Local-FortiGate (1072741828) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741828) set priority 2
Local-FortiGate (1072741828) set device "test_all_1_4"
Local-FortiGate (1072741828) next
Local-FortiGate (static) end
---> generating verification report
<--- done generating verification report
Local-FortiGate (static) edit 1072741825
Local-FortiGate (1072741825) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741825) set priority 2
Local-FortiGate (1072741825) set device "test_all_2_3"
Local-FortiGate (1072741825) next
Local-FortiGate (static) edit 1072741826
Local-FortiGate (1072741826) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741826) set priority 2
Local-FortiGate (1072741826) set device "test_all_2_4"
Local-FortiGate (1072741826) next
Local-FortiGate (static) edit 1072741827
Local-FortiGate (1072741827) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741827) set priority 2
Local-FortiGate (1072741827) set device "test_all_1_3"
Local-FortiGate (1072741827) next
Local-FortiGate (static) edit 1072741828
Local-FortiGate (1072741828) set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741828) set priority 2
Local-FortiGate (1072741828) set device "test_all_1_4"
Local-FortiGate (1072741828) next
Local-FortiGate (static) end
---> generating verification report
<--- done generating verification report
- Optionally, create policies for the VPN.
Note:
How to calculate the number of VPN tunnels in a fully-redundant mesh with a given number of ISP connections per FortiGate:
(N x (N-1) / 2) x I² = Number of VPN tunnels.
Where:
- N = number of FortiGates.
- I = number of ISP connections each FortiGate has.
Related documents: