FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
When you want to create multiple source and destination subnets for site-to-site IPsec VPN with a third-party VPN peer, you have to do so either manually configuring a separate Phase 2 for every source/destination subnet combination, or since FortiOS 5.2, using the " Site to Site - Cisco" Wizard (Note: This is not to establish a Site-to-Site with Cisco-only VPN peer).
The use of the manual configuration is very labour intensive. The main issue with both of these solutions is that the configuration is static and it is hard to maintain, error prone and not scalable.
The solution is to use IKEv1 dynamic selector configuration, which was introduced since FortiOS 5.2. With this feature, the IPsec tunnels (Phase 2) will be dynamically created when traffic from either VPN peer is initiated.
config vpn ipsec phase1-interface edit "toRemoteSite" set interface "wan1" set type static set remote-gw 220.127.116.11 set proposal aes128-sha1 set psksecret ENC xxxxxxx set mesh-selector-type subnet /* Install selector for address group that matches traffic packets */ next end
config vpn ipsec phase2-interface edit ""toRemoteSite_p2" set auto-negotiate disable /* Auto-negotiate must be disabled for this configuration(by default is disabled) */ set phase1name "toRemoteSite" set proposal aes128-sha1 set src-addr-type name set src-name "local-site-subnets" set dst-addr-type name set dst-name "remote-site-subnets" next end
config router static /* A static route out of the virtual IPsec tunnel interface must be configured to every remote protected subnet */ edit 5 set dst <subnet_1 of remote site> set device "toRemoteSite" next edit 6 set dst <subnet_2 of remote site> set device "toRemoteSite" next end
config firewall policy edit 1 set srcintf "toRemoteSite" set dstintf <local interface(s)> set srcaddr "remote-site-subnets" set dstaddr "local-site-subnets" set action accept set schedule "always" set service ALL next edit 2 set srcintf <local interface(s)> set dstintf "toRemoteSite" set srcaddr "local-site-subnets" set dstaddr "remote-site-subnets" set action accept set schedule "always" set service ALL next end
Verification of Configuration and troubleshooting
- Check the configuration as it is seen by IKE daemon: diag vpn ike config list
- List IKE SA : diag vpn ike gateway list name <Phase1>
- List IPsec SA: diag vpn tunnel list name <Phase1>
- Check status of all tunnels (equivalent to GUI VPN monitor): get ipsec tunnel list
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.