This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
500E # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
edit "S2S"
set interface "port4"
set keylife 28800
set peertype any
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set remote-gw x.x.x.x
set psksecret ENC tAl7DoFRHysjGiH+Mb6ijjllKtjH42TkHJk80CnLDHVTqTw48xYMGbjTODRkr9lzWJJo6CXd3QupSglXQSA+5Gc4n/rvTu6AYeL81EH1yL2y/EtGNFvay4kGVs2yUnvsVY7mhWoIbqdLP0K0sp1Wkf3hxryCzarHM26GUZosZbt/ktewEOPPDprszWAqZePkUmPyXg==
next
end
500E # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end
110C # show vpn ipsec phase1-interface S2S
config vpn ipsec phase1-interface
edit "S2S"
set interface "wan2"
set keylife 28800
set remote-gw y.y.y.y
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
next
end
110C # show vpn ipsec phase2-interface S2S
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "port4"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk
set mode main
set peertype any
set passive-mode disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set remote-gw x.x.x.x
set monitor ''
set add-gw-route disable
set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
set keepalive 10
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "wan2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw y.y.y.y
set monitor ''
set add-gw-route disable
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end
500E (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "port4"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk
set mode main
set peertype any
set passive-mode disable
set exchange-interface-ip disable
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set remote-gw x.x.x.x
set monitor ''
set add-gw-route disable
set psksecret ENC 4LPDyWV2wq+20mOa01RPNusJvqkfHIbkXcaHHybOQZrJlFGlwdIJc9uGvZ6/xGTe+gJGUbC+7bB+otonYGZ2jfdwIvyHNWeyhSSMOdlDQMtPfV/v5xMj3WcovVZRTzOYHhf7gtdKO8LPfBPqcjMmtdAJiIVkyA85XJWi5SEtNDf8PbOUBsjIK73TzEnHb9jH5vvSiw==
set keepalive 10
set dpd-retrycount 3
set dpd-retryinterval 20
next
end
500E (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-a.a.a.a"
set dst-name "N-b.b.b.b"
next
end
110C (S2S) # show full-configuration
config vpn ipsec phase1-interface
edit "S2S"
set type static
set interface "wan2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd enable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14 5
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw y.y.y.y
set monitor ''
set add-gw-route disable
set psksecret ENC Nv3PWpoe+wi21HgsMXnanygYP9VEknt5egXy4qI2yxGpB26q9+nRjxNMxqmhY2I2IdLAoO6Zt/ttnO51pvgFyOoXXcKne47cr5EYM+juRW7cj8IZ3uCKYN29K0LB5k8JOVuCQH6q69dTndxLRElTsfBrFWcRiEtF3lcSZgwWIEd3AjSkowE/E/ZCLV84zinhOIfN/g==
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
110C (S2S) # show full-configuration
config vpn ipsec phase2-interface
edit "S2S"
set phase1name "S2S"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set auto-negotiate disable
set keylife-type seconds
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-port 0
set dst-addr-type name
set dst-port 0
set keylifeseconds 3600
set src-name "N-b.b.b.b"
set dst-name "N-a.a.a.a"
next
end
config firewall policy
edit 79
set srcintf "any"
set dstintf "S2S"
set srcaddr "a.a.a.a"
set dstaddr "b.b.b.b"
set rtp-nat disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set utm-status disable
set logtraffic all
set logtraffic-start disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set label ''
set global-label ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set delay-tcp-npu-session disable
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool enable
set poolname "POOL_10.200.15.0-24"
next
end
config firewall ippool
edit "POOL_10.200.15.0-24"
set type overload
set startip 10.200.15.1
set endip 10.200.15.254
set arp-reply disable
set comments ''
next
end
Yes, I do. In fact the tunnel works, but it is not applying the NAT I need in order to get to the other side as 10.200.15.x (please check my previous post).
That was my Phase2 issue. Instead of getting to the other side with the natted addresses, they are going with the real ones.
Why do I need to NAT? It was an acquisition, and the former IT brains were using public IP addresses for the entire LAN. Until we can change that, we need the VPN up with a private segment
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.