FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Article Id 359480
Description

This article provides an example of how to clone a site to site IPsec tunnel when one tunnel is created for a wan interface and need clone same for other wan interface.

Scope FortiGate.
Solution

There may be a situation where an IPsec tunnel that has already been established with one WAN interface needs to be replicated for another WAN interface.

 

In order to accomplish this, either use the wizard or recreate the tunnel by entering all the information anew or follow the below document where using cli recreate the tunnel by pasting information which would be a faster method to replicate the tunnel.

 

Firstly, need to gather all the information about this IPsec tunnel from Cli and paste it on a notepad:

Phase1 information:

 

config vpn ipsec phase1-interface

    edit "IPsecTunnel"

        set interface "port1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

        set remote-gw x.x.x.x

        set psksecret ENC cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6

3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw==

    next

end

 

Phase2 information:

 

config vpn ipsec phase2-interface

    edit "IPsecTunnel"

        set phase1name "IPsecTunnel"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

        set src-addr-type name

        set dst-addr-type name

        set src-name "IPsecTunnel_local"

        set dst-name "IPsecTunnel_remote"

    next

end

 

Now, on a notepad make the following changes, Once this is done, paste the content on to cli:

 

config vpn ipsec phase1-interface

    edit "IPsecTunnel2"                                        <- Change the Tunnel name.      

        set interface "port5"                                  <- Change port to the desired WAN port.

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

        set remote-gw x.x.x.x

        set psksecret ENC  "

cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6

3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw==

"

    next

end

 

For the PSK part, follow the instructions shown in the screenshot below to paste it:

 

pskclon.PNG

 

config vpn ipsec phase2-interface

    edit "IPsecTunnel2"                            ->>>Change the Tunnel name 

        set phase1name "IPsecTunnel2"              ->>>Change the Tunnel name 

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

        set src-addr-type name

        set dst-addr-type name

        set src-name "IPsecTunnel_local"

        set dst-name "IPsecTunnel_remote"

    next

end

 

After, verify that the tunnel has been created from the GUI:

 

ipsectunnels.PNG

 Before cloning the tunnel

IPsectunnels2.PNG

 

After cloning the tunnel:

 

Get the information for static route and firewall policy:

 

config router static

    edit 2

        set device "IPsecTunnel"

        set comment "VPN: IPsecTunnel (Created by VPN wizard)"

        set dstaddr "IPsecTunnel_remote"

    next

end

config firewall policy

    edit 2

        set name "vpn_IPsecTunnel_remote_0"

        set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb

        set srcintf "IPsecTunnel"

        set dstintf "port2"

        set action accept

        set srcaddr "IPsecTunnel_remote"

        set dstaddr "IPsecTunnel_local"

        set schedule "always"

        set service "ALL"

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

    next

end

config firewall policy

    edit 1

        set name "vpn_IPsecTunnel_local_0"

        set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567

        set srcintf "port2"

        set dstintf "IPsecTunnel"

        set action accept

        set srcaddr "IPsecTunnel_local"

        set dstaddr "IPsecTunnel_remote"

        set schedule "always"

        set service "ALL"

        set comments "VPN: IPsecTunnel (Created by VPN wizard)"

    next

end

 

After, clone/copy the firewall policies for the tunnel and change the tunnel interface to a new tunnel.

 

CLI:

 

config firewall policy

clone 1 to 3

clone 2 to 4

end

 

After, change the IPsec tunnel interface from the GUI or just paste the copied firewall policy with a modified IPsec tunnel:

 

config firewall policy

    edit 2

        set name "vpn_IPsecTunnel_remote_0"

        set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb

        set srcintf "IPsecTunnel2"                                  <- Change the Tunnel name.

        set dstintf "port2"

        set action accept

        set srcaddr "IPsecTunnel_remote"

        set dstaddr "IPsecTunnel_local"

        set schedule "always"

        set service "ALL"

    next

end

config firewall policy

    edit 1

        set name "vpn_IPsecTunnel_local_0"

        set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567

        set srcintf "port2"

        set dstintf "IPsecTunnel2"                                  <- Change the Tunnel name.

        set action accept

        set srcaddr "IPsecTunnel_local"

        set dstaddr "IPsecTunnel_remote"

        set schedule "always"

        set service "ALL"

    next

end

 

GUI:

 

clone firewalll policy.PNG

 Clone method

clonefirewallpolicy.PNG

Similarly, clone or copy the static route and set the interface to the new Tunnel interface.

 

CLI:

 

config router static

    edit 3

        set device "IPsecTunnel2"                               <- Change the Tunnel name.

        set dstaddr "IPsecTunnel_remote"

    next

end

 

GUI:

 

clone static route.PNG

 

clonedstaticroute2.PNG