Problem Configuring Site to Site ROUTE BASED VPN

Question

Hi all,

I'm struggling to get a Route Based VPN to connect end to end. Phase 1 is connecting fine.

I simply want to create an IPSec (/30) Tunnel. I will use static routes to decide as to what traffic traverses the tunnel.

Where should my ends IP Address of the /30 be configured ? I have it currently in the Tunnel Interface within Network > Interfaces.

Within the IPSec Tunnels section of VPN, what addresses should I insert into Phase 2 ? Do I put in the Local and Remote /30 IP's ? I read somewhere else about adding 0.0.0.0/0.0.0.0. But neither seems to have worked.

At the other end is a non-Fortigate device. It has no IP Addresses configured in Phase 2

Encryption Algo: AES256

PFS: Disabled

Hash Algo: SHA256 SA life time: 3600

NAT Traversal Off

Any suggestions or pointers gratefully received

Toshi_Esumi · Answer

Did you follow some instructions like below cookbook? You just needed to modify the source/destination subnets to 0/0.

https://cookbook.fortinet...ith-two-fortigates-60/

Then the GUI populate the config at the right places in the config file you can see in CLI. Yes, the tunnel ip should be under the "interface". And you need to add your static routes separately.

I'm not sure how the menu looks like in GUI to chose those specific IPSec parameters, but the best way to confirm is to go to CLI and check what are chosen under "config vpn ipsec phase1-interface" and "config vpn ipsec phase2-interface" and modify them as needed. I believe some of them can't be set/modified via GUI.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded