Description
"Auto IPSec" works for notifying and pushing IPSec configuration to
the branch offices when there is no FortiManager in organization.
There are two component for Auto IPSec, one is auto-ipsec gateway,
another is auto-ipsec client.
The policy-based VPN config is added to the auto-ipsec gateway and
then pushed to the client FortiGate (which has auto-ipsec
enabled). Then VPN tunnel will be established automatically
upon configuration being pushed.
Solution
In following config example, FWF60C is auto-ipsec gateway who will
be pushing config to FWF40C who is auto-ipsec client
Topology:
IPsec VPN
192.168.2.0/24 -------- 192.168.2.1 internal
FWF60C dmz 172.17.97.99------------------ 172.17.97.132 wan1 FWF40C
internal 192.168.1.1-------192.168.1.0/24
Configuration:
FWF60C (auto-ipsec gateway) Configuration
1. Configure policy-based IPsec phase1 "test_vpn" on FWF60C
config vpn ipsec phase1
edit "test_vpn"
set interface "dmz"
set autoconfig gateway
set remote-gw 172.17.97.132
set psksecret 123456
2. Configure firewall policy on FWF60C, make sure the srcaddr and
dstaddr be a subnet or address having connected route instead of
ALL
FWF60C3G12006101 # get router info routing-table
connected
C 192.168.2.0/24 is directly connected, internal
FWF40C3911000235 # get router info routing-table
connected
C 192.168.1.0/24 is directly connected, internal
FWF40C (auto-ipsec client) Configuration
3. Allow auto-ipsec on VPN interface(wan1) of FWF40C
config system interface
edit "wan1"
set ip 172.17.97.132 255.255.255.0
set allowaccess ping https ssh auto-ipsec
set type physical
set snmp-index 1
FWF60C (auto-ipsec gateway) Push
4. Push config from FWF60C to FWF40C by following CLI
diagnose vpn auto-ipsec gateway notify
test_vpn
FWF40C (auto-ipsec client) Accept
5. Accept config on FWF40C by following CLI
diagnose vpn auto-ipsec bootstrap accept 123456
Debug:
FWF60C(Gateway)
FWF60C3G12006101 # diagnose vpn auto-ipsec gateway status
vd: root/0
name: test
serial: 0
version: 1
type: static
local: 0.0.0.0
remote: 172.17.97.132
mode: main
dpd: enable retry-count 3 interval 5000ms
auth: psk
dhgrp: 5
fragmentation: disable
xauth: none
interface: dmz
phase2s:
_test_tun_ proto 0 src 0.0.0.0/0.0.0.0:0 dst
0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive
auto-negotiate
policy: yes
autoconfig-gateway: status connected
FWF40C(Client)
FWF40C3911000235 # diagnose vpn auto-ipsec client status
vd: root/0
name: _autogw0_
serial: 0
version: 1
type: static
local: 0.0.0.0
remote: 172.17.97.99
mode: main
dpd: enable retry-count 3 interval 5000ms
auth: psk
dhgrp: 5
fragmentation: disable
xauth: none
interface: wan1
phase2s:
__autogw0__tun_ proto 0 src 0.0.0.0/0.0.0.0:0 dst
0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive
auto-negotiate
policies:
IPv4 policy 1 src 'inside' dst 'wan1'
autoconfig-client: status connected