Description |
This article provides an example of how to clone a site to site IPsec tunnel when one tunnel is created for a wan interface and need clone same for other wan interface. |
Scope | FortiGate. |
Solution |
There may be a situation where an IPsec tunnel that has already been established with one WAN interface needs to be replicated for another WAN interface.
In order to accomplish this, either use the wizard or recreate the tunnel by entering all the information anew or follow the below document where using cli recreate the tunnel by pasting information which would be a faster method to replicate the tunnel.
Firstly, need to gather all the information about this IPsec tunnel from Cli and paste it on a notepad: Phase1 information:
config vpn ipsec phase1-interface edit "IPsecTunnel" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set remote-gw x.x.x.x set psksecret ENC cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6 3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw== next end
Phase2 information:
config vpn ipsec phase2-interface edit "IPsecTunnel" set phase1name "IPsecTunnel" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "IPsecTunnel_local" set dst-name "IPsecTunnel_remote" next end
Now, on a notepad make the following changes, Once this is done, paste the content on to cli:
config vpn ipsec phase1-interface edit "IPsecTunnel2" <- Change the Tunnel name. set interface "port5" <- Change port to the desired WAN port. set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set remote-gw x.x.x.x set psksecret ENC " cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6 3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw== " next end
For the PSK part, follow the instructions shown in the screenshot below to paste it:
config vpn ipsec phase2-interface edit "IPsecTunnel2" ->>>Change the Tunnel name set phase1name "IPsecTunnel2" ->>>Change the Tunnel name set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "IPsecTunnel_local" set dst-name "IPsecTunnel_remote" next end
After, verify that the tunnel has been created from the GUI:
Before cloning the tunnel
After cloning the tunnel:
Get the information for static route and firewall policy:
config router static edit 2 set device "IPsecTunnel" set comment "VPN: IPsecTunnel (Created by VPN wizard)" set dstaddr "IPsecTunnel_remote" next end config firewall policy edit 2 set name "vpn_IPsecTunnel_remote_0" set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb set srcintf "IPsecTunnel" set dstintf "port2" set action accept set srcaddr "IPsecTunnel_remote" set dstaddr "IPsecTunnel_local" set schedule "always" set service "ALL" set comments "VPN: IPsecTunnel (Created by VPN wizard)" next end config firewall policy edit 1 set name "vpn_IPsecTunnel_local_0" set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567 set srcintf "port2" set dstintf "IPsecTunnel" set action accept set srcaddr "IPsecTunnel_local" set dstaddr "IPsecTunnel_remote" set schedule "always" set service "ALL" set comments "VPN: IPsecTunnel (Created by VPN wizard)" next end
After, clone/copy the firewall policies for the tunnel and change the tunnel interface to a new tunnel.
CLI:
config firewall policy clone 1 to 3 clone 2 to 4 end
After, change the IPsec tunnel interface from the GUI or just paste the copied firewall policy with a modified IPsec tunnel:
config firewall policy edit 2 set name "vpn_IPsecTunnel_remote_0" set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb set srcintf "IPsecTunnel2" <- Change the Tunnel name. set dstintf "port2" set action accept set srcaddr "IPsecTunnel_remote" set dstaddr "IPsecTunnel_local" set schedule "always" set service "ALL" next end config firewall policy edit 1 set name "vpn_IPsecTunnel_local_0" set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567 set srcintf "port2" set dstintf "IPsecTunnel2" <- Change the Tunnel name. set action accept set srcaddr "IPsecTunnel_local" set dstaddr "IPsecTunnel_remote" set schedule "always" set service "ALL" next end
GUI:
Clone method Similarly, clone or copy the static route and set the interface to the new Tunnel interface.
CLI:
config router static edit 3 set device "IPsecTunnel2" <- Change the Tunnel name. set dstaddr "IPsecTunnel_remote" next end
GUI:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.