Description
This article describes how to configure IPsec VPN Tunnel using IKE v2.
Solution
The FortiGate IPSEC tunnels can be configured using IKE v2.
Summary of the FortiGate GUI configuration:
Which results in a CLI output as the following example:
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FCT_IKE_v2"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw 192.168.252.132
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "training"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "FCT_IKE_v2_split"
set ipv4-name "FCT_IKE_v2_range"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
set dpd-retryinterval 60
next
end
FortiClient configuration.
Debugging on the FortiGate.
diagnose debug console timestamp enable
diagnose debug application ike -1
Debug messages will be on for 30 minutes.
diagnose debug enable
...
2020-06-01 10:54:56.781236 ike 0: comes 192.168.252.140:500->192.168.252.132:500,ifindex=3....
2020-06-01 10:54:56.784383 ike 0: IKEv2 exchange=SA_INIT id=8a5fcff621752576/0000000000000000 len=436
...
2020-06-01 10:54:56.966247 ike 0:8a5fcff621752576/0000000000000000:3: SA proposal chosen, matched gateway FCT_IKE_v2
2020-06-01 10:54:56.970778 ike 0:FCT_IKE_v2: created connection: 0xc1ac370 3 192.168.252.132->192.168.252.140:500.
...
2020-06-01 10:54:57.098345 ike 0:FCT_IKE_v2:3: responder received AUTH msg
2020-06-01 10:54:57.100344 ike 0:FCT_IKE_v2:3: processing notify type INITIAL_CONTACT
2020-06-01 10:54:57.103118 ike 0:FCT_IKE_v2:3: peer identifier IPV4_ADDR 192.168.252.140
2020-06-01 10:54:57.109820 ike 0:FCT_IKE_v2:3: re-validate gw ID
2020-06-01 10:54:57.113740 ike 0:FCT_IKE_v2:3: gw validation OK
...
2020-06-01 10:54:57.115832 ike 0:FCT_IKE_v2:3: responder preparing EAP identity request
2020-06-01 10:54:57.118622 ike 0:FCT_IKE_v2:3: enc
2020-06-01 10:54:57.128907 ike 0:FCT_IKE_v2:3: out
2020-06-01 10:54:57.138184 ike 0:FCT_IKE_v2:3: sent IKE msg (AUTH_RESPONSE): 192.168.252.132:500->192.168.252.140:500, len=128,
...
2020-06-01 10:54:57.168080 ike 0:FCT_IKE_v2:3: responder received EAP msg
2020-06-01 10:54:57.170300 ike 0:FCT_IKE_v2:3: send EAP message to FNBAM
2020-06-01 10:54:57.172977 ike 0:FCT_IKE_v2:3: initiating EAP authentication
2020-06-01 10:54:57.175182 ike 0:FCT_IKE_v2: EAP user "engineer"
2020-06-01 10:54:57.176733 ike 0:FCT_IKE_v2: auth group training
2020-06-01 10:54:57.179241 ike 0:FCT_IKE_v2: EAP 1224753671 pending
2020-06-01 10:54:57.180344 ike 0:FCT_IKE_v2:3 EAP 1224753671 result 2
2020-06-01 10:54:57.181322 ike 0:FCT_IKE_v2: EAP challenged for user "engineer"
2020-06-01 10:54:57.182419 ike 0:FCT_IKE_v2:3: responder preparing EAP pass through message
...
2020-06-01 10:54:57.595037 ike 0:FCT_IKE_v2:3:FCT_IKE_v2:39: lifetime=43200
2020-06-01 10:54:57.598559 ike 0:FCT_IKE_v2:3: responder preparing AUTH msg
2020-06-01 10:54:57.601466 ike 0:FCT_IKE_v2: adding new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.605352 ike 0:FCT_IKE_v2_0: added new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.612130 ike 0:FCT_IKE_v2_0:3: established IKE SA
...
2020-06-01 10:54:57.774281 ike 0:FCT_IKE_v2: carrier up
The last message, carrier up, indicates that the tunnel is up and running.