Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alouvros
Staff
Staff

Created on ‎04-20-2015 04:38 AM Edited on ‎07-28-2024 01:27 AM By Community Manager

Article Id 190346

Technical Tip: Dynamic creation of IPsec tunnels (IKEv1 dynamic selector configuration)

Description

 

This article describes how to create multiple source and destination subnets for site-to-site IPsec VPN with a third-party VPN peer, you have to do so either manually configuring a separate Phase 2 for every source/destination subnet combination, or since FortiOS 5.2, using the " Site to Site - Cisco" Wizard (Note: This is not to establish a Site-to-Site with Cisco-only VPN peer).

The use of the manual configuration is very labour intensive. The main issue with both of these solutions is that the configuration is static and it is hard to maintain, error-prone and not scalable.
 
Scope
 
FortiGate.


Solution

 

The solution is to use IKEv1 dynamic selector configuration, which was introduced since FortiOS 5.2. With this feature, the IPsec tunnels (Phase 2) will be dynamically created when traffic from either VPN peer is initiated.

Configuration CLI:

config vpn ipsec phase1-interface
    edit "toRemoteSite"
        set interface "wan1"
        set type static
        set remote-gw 202.2.2.1
        set proposal aes128-sha1
        set psksecret ENC xxxxxxx
        set mesh-selector-type subnet   <----- Install selector for address group that matches traffic packets.
    next
end

config vpn ipsec phase2-interface
    edit ""toRemoteSite_p2"
        set auto-negotiate disable  <----- Auto-negotiate must be disabled for this configuration(by default is disabled).
        set phase1name "toRemoteSite"
        set proposal aes128-sha1
        set src-addr-type name
        set src-name "local-site-subnets"
        set dst-addr-type name
        set dst-name "remote-site-subnets"
    next
end

config router static  <----- A static route out of the virtual IPsec tunnel interface must be configured to every remote-protected subnet.
    edit 5
        set dst <subnet_1 of remote site>
        set device "toRemoteSite"
next
    edit 6
        set dst <subnet_2 of remote site>
        set device "toRemoteSite"
    next
end

config firewall policy
    edit 1
        set srcintf "toRemoteSite"
        set dstintf <local interface(s)>
        set srcaddr "remote-site-subnets"
        set dstaddr "local-site-subnets"
        set action accept
        set schedule "always"
        set service ALL
    next
    edit 2
        set srcintf <local interface(s)>
        set dstintf "toRemoteSite"
        set srcaddr "local-site-subnets"
        set dstaddr "remote-site-subnets"
        set action accept
        set schedule "always"
        set service ALL
    next
end

Verification of Configuration and Troubleshooting:

  • Check the configuration as it is seen by IKE daemon: diag vpn ike config list
  • List IKE SA: diag vpn ike gateway list name <Phase1>
  • List IPsec SA:  diag vpn tunnel list name <Phase1>
  • Check the status of all tunnels (equivalent to GUI VPN monitor): get ipsec tunnel list

 

Related articles:

Technical Tip: IKE v2 traffic selector narrowing 

Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow' 

Labels:
14757
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.