Description
This article describes how to configure IPsec VPN Tunnel using IKE v2.
Scope
FortiClient.
Solution
The FortiGate IPSEC tunnels can be configured using IKE v2.
Summary of the FortiGate GUI configuration:
Which results in a CLI output as the following example:
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FCT_IKE_v2"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw 192.168.252.132
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "training"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "FCT_IKE_v2_split"
set ipv4-name "FCT_IKE_v2_range"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
set dpd-retryinterval 60
next
end
FortiClient configuration.
Debugging on the FortiGate.
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
...
2020-06-01 10:54:56.781236 ike 0: comes 192.168.252.140:500->192.168.252.132:500,ifindex=3....
2020-06-01 10:54:56.784383 ike 0: IKEv2 exchange=SA_INIT id=8a5fcff621752576/0000000000000000 len=436
...
2020-06-01 10:54:56.966247 ike 0:8a5fcff621752576/0000000000000000:3: SA proposal chosen, matched gateway FCT_IKE_v2
2020-06-01 10:54:56.970778 ike 0:FCT_IKE_v2: created connection: 0xc1ac370 3 192.168.252.132->192.168.252.140:500.
...
2020-06-01 10:54:57.098345 ike 0:FCT_IKE_v2:3: responder received AUTH msg
2020-06-01 10:54:57.100344 ike 0:FCT_IKE_v2:3: processing notify type INITIAL_CONTACT
2020-06-01 10:54:57.103118 ike 0:FCT_IKE_v2:3: peer identifier IPV4_ADDR 192.168.252.140
2020-06-01 10:54:57.109820 ike 0:FCT_IKE_v2:3: re-validate gw ID
2020-06-01 10:54:57.113740 ike 0:FCT_IKE_v2:3: gw validation OK
...
2020-06-01 10:54:57.115832 ike 0:FCT_IKE_v2:3: responder preparing EAP identity request
2020-06-01 10:54:57.118622 ike 0:FCT_IKE_v2:3: enc
2020-06-01 10:54:57.128907 ike 0:FCT_IKE_v2:3: out
2020-06-01 10:54:57.138184 ike 0:FCT_IKE_v2:3: sent IKE msg (AUTH_RESPONSE): 192.168.252.132:500->192.168.252.140:500, len=128,
...
2020-06-01 10:54:57.168080 ike 0:FCT_IKE_v2:3: responder received EAP msg
2020-06-01 10:54:57.170300 ike 0:FCT_IKE_v2:3: send EAP message to FNBAM
2020-06-01 10:54:57.172977 ike 0:FCT_IKE_v2:3: initiating EAP authentication
2020-06-01 10:54:57.175182 ike 0:FCT_IKE_v2: EAP user "engineer"
2020-06-01 10:54:57.176733 ike 0:FCT_IKE_v2: auth group training
2020-06-01 10:54:57.179241 ike 0:FCT_IKE_v2: EAP 1224753671 pending
2020-06-01 10:54:57.180344 ike 0:FCT_IKE_v2:3 EAP 1224753671 result 2
2020-06-01 10:54:57.181322 ike 0:FCT_IKE_v2: EAP challenged for user "engineer"
2020-06-01 10:54:57.182419 ike 0:FCT_IKE_v2:3: responder preparing EAP pass through message
...
2020-06-01 10:54:57.595037 ike 0:FCT_IKE_v2:3:FCT_IKE_v2:39: lifetime=43200
2020-06-01 10:54:57.598559 ike 0:FCT_IKE_v2:3: responder preparing AUTH msg
2020-06-01 10:54:57.601466 ike 0:FCT_IKE_v2: adding new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.605352 ike 0:FCT_IKE_v2_0: added new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.612130 ike 0:FCT_IKE_v2_0:3: established IKE SA
...
2020-06-01 10:54:57.774281 ike 0:FCT_IKE_v2: carrier up
To stop the debugging, run the following commands:
diagnose debug disable
diagnose debug reset
The last message, 'carrier up', indicates that the tunnel is up and running.