Description
This article describes how to configure IPsec VPN Tunnel using IKE v2.
Scope
FortiClient.
Solution
The FortiGate IPSEC tunnels can be configured using IKE v2.
Summary of the FortiGate GUI configuration:
Which results in a CLI output as the following example:
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FCT_IKE_v2"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw 192.168.252.132
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "training"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "FCT_IKE_v2_split"
set ipv4-name "FCT_IKE_v2_range"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
set dpd-retryinterval 60
next
end
config vpn ipsec phase1-interface
edit "FCT_IKE_v2"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw 192.168.252.132
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "training"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "FCT_IKE_v2_split"
set ipv4-name "FCT_IKE_v2_range"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
set dpd-retryinterval 60
next
end
FortiClient configuration.
Debugging on the FortiGate.
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
diagnose debug application ike -1
diagnose debug enable
...
2020-06-01 10:54:56.781236 ike 0: comes 192.168.252.140:500->192.168.252.132:500,ifindex=3....
2020-06-01 10:54:56.784383 ike 0: IKEv2 exchange=SA_INIT id=8a5fcff621752576/0000000000000000 len=436
...
2020-06-01 10:54:56.966247 ike 0:8a5fcff621752576/0000000000000000:3: SA proposal chosen, matched gateway FCT_IKE_v2
2020-06-01 10:54:56.970778 ike 0:FCT_IKE_v2: created connection: 0xc1ac370 3 192.168.252.132->192.168.252.140:500.
...
2020-06-01 10:54:57.098345 ike 0:FCT_IKE_v2:3: responder received AUTH msg
2020-06-01 10:54:57.100344 ike 0:FCT_IKE_v2:3: processing notify type INITIAL_CONTACT
2020-06-01 10:54:57.103118 ike 0:FCT_IKE_v2:3: peer identifier IPV4_ADDR 192.168.252.140
2020-06-01 10:54:57.109820 ike 0:FCT_IKE_v2:3: re-validate gw ID
2020-06-01 10:54:57.113740 ike 0:FCT_IKE_v2:3: gw validation OK
...
2020-06-01 10:54:57.115832 ike 0:FCT_IKE_v2:3: responder preparing EAP identity request
2020-06-01 10:54:57.118622 ike 0:FCT_IKE_v2:3: enc
2020-06-01 10:54:57.128907 ike 0:FCT_IKE_v2:3: out
2020-06-01 10:54:57.138184 ike 0:FCT_IKE_v2:3: sent IKE msg (AUTH_RESPONSE): 192.168.252.132:500->192.168.252.140:500, len=128,
...
2020-06-01 10:54:57.168080 ike 0:FCT_IKE_v2:3: responder received EAP msg
2020-06-01 10:54:57.170300 ike 0:FCT_IKE_v2:3: send EAP message to FNBAM
2020-06-01 10:54:57.172977 ike 0:FCT_IKE_v2:3: initiating EAP authentication
2020-06-01 10:54:57.175182 ike 0:FCT_IKE_v2: EAP user "engineer"
2020-06-01 10:54:57.176733 ike 0:FCT_IKE_v2: auth group training
2020-06-01 10:54:57.179241 ike 0:FCT_IKE_v2: EAP 1224753671 pending
2020-06-01 10:54:57.180344 ike 0:FCT_IKE_v2:3 EAP 1224753671 result 2
2020-06-01 10:54:57.181322 ike 0:FCT_IKE_v2: EAP challenged for user "engineer"
2020-06-01 10:54:57.182419 ike 0:FCT_IKE_v2:3: responder preparing EAP pass through message
...
2020-06-01 10:54:57.595037 ike 0:FCT_IKE_v2:3:FCT_IKE_v2:39: lifetime=43200
2020-06-01 10:54:57.598559 ike 0:FCT_IKE_v2:3: responder preparing AUTH msg
2020-06-01 10:54:57.601466 ike 0:FCT_IKE_v2: adding new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.605352 ike 0:FCT_IKE_v2_0: added new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.612130 ike 0:FCT_IKE_v2_0:3: established IKE SA
...
2020-06-01 10:54:57.774281 ike 0:FCT_IKE_v2: carrier up
To stop the debugging, run the following commands:
diagnose debug disable
diagnose debug reset
The last message, 'carrier up', indicates that the tunnel is up and running.
Related articles:
- Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA.
- Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
- Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
- Troubleshooting Tip: IPsec VPNs tunnels
- Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
- Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
- Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
- Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
- Technical Tip: IPSec dial-up full tunnel with FortiClient
- Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
- Technical Note: Dynamic routing (BGP) over IPsec tunnel
- Technical Tip: OSPF with IPSec VPN for network redundancy
- Technical Tip: Dynamic dial-up VPN with OSPF
- Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
- Technical Tip: 'set net-device' new route-based IPsec logic
- Technical Tip: Simple OCVPN deployment
- Technical Tip: SD-WAN integration with OCVPN
- Technical Tip: Configure IPsec VPN with SD-WAN
- Technical Tip: SD-WAN with DDNS type IPsec
- Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
- Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
- Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...
- Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
