Technical Tip: Configure automation backup over IPsec tunnel

anikolov · ‎08-30-2021

Description

This article describes how to configure automation stitch to make backups using TFTP over IPSec tunnel.

Related document:
Automation stitches

Scope

FotiGate.

Solution

Create an Automation Stitch as per the picture below. From GUI, go to Security Fabric -> Automation and select 'Create New'.

In this example, the trigger is scheduled to execute the command '# execute backup config tftp Minjo.cfg 10.187.5.102' every day at 01:09.
The IP address is a host over the IPsec where the backups are being done.

Configure IP addresses in the IPsec tunnels: From GUI go to Network -> Interfaces.

Under the port where the VPN tunnel is configured, select '+' and select the VPN tunnel.
From CLI check '# get router info routing-table all' to choose a free IP address range to use for the tunnel interface.

In this example:
From the fortiGate from where the backup is settled.

Result.

Do the same steps for the remote FortiGate:

Result.

How to configure an IPSec tunnel: Site-to-site VPN

From GUI, go to VPN -> IPsec Tunnels and select the tunnel.

In the phase2 selectors tunnel IP address is used as local and the TFTP server as remote address.

If it is changed over an IPSec tunnel that is already in use, do not forget to apply new policies and static routes for this implementation.

The phase2 selectors must match on both FortiGates, therefore adjust the IPsec tunnel as below:

Note:
Make sure the phase 2 is up before initiating traffic. To check phase 2 status, navigate Dashboard -> Network -> IPSec.

Screenshot 2025-02-03 144121.png

In case phase 2 is not up, refer to this document for more troubleshooting steps: Troubleshooting Tip: Troubleshooting IPsec Site-to... - Fortinet Community

As a result of the previous steps, it is possible to do a configuration backup using TFTP over an IPsec tunnel:

Technical Tip: Configure automation backup over IPsec tunnel

You are leaving our website