FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alouvros
Staff
Staff

Description

 

When you want to create multiple source and destination subnets for site-to-site IPsec VPN with a third-party VPN peer, you have to do so either manually configuring a separate Phase 2 for every source/destination subnet combination, or since FortiOS 5.2, using the " Site to Site - Cisco" Wizard (Note: This is not to establish a Site-to-Site with Cisco-only VPN peer).

The use of the manual configuration is very labour intensive. The main issue with both of these solutions is that the configuration is static and it is hard to maintain, error prone and not scalable.


Solution

 

The solution is to use IKEv1 dynamic selector configuration, which was introduced since FortiOS 5.2. With this feature, the IPsec tunnels (Phase 2) will be dynamically created when traffic from either VPN peer is initiated.

Configuration CLI

config vpn ipsec phase1-interface
    edit "toRemoteSite"
        set interface "wan1"
        set type static
        set remote-gw 202.2.2.1
        set proposal aes128-sha1
        set psksecret ENC xxxxxxx
        set mesh-selector-type subnet   /* Install selector for address group that matches traffic packets */
    next
end

config vpn ipsec phase2-interface
    edit ""toRemoteSite_p2"
        set auto-negotiate disable     /* Auto-negotiate must be disabled for this configuration(by default is disabled) */
        set phase1name "toRemoteSite"
        set proposal aes128-sha1
        set src-addr-type name
        set src-name "local-site-subnets"
        set dst-addr-type name
        set dst-name "remote-site-subnets"
    next
end

config router static   /* A static route out of the virtual IPsec tunnel interface must be configured to every remote protected subnet */
    edit 5
        set dst <subnet_1 of remote site>
        set device "toRemoteSite"
next
    edit 6
        set dst <subnet_2 of remote site>
        set device "toRemoteSite"
    next
end

config firewall policy
    edit 1
        set srcintf "toRemoteSite"
        set dstintf <local interface(s)>
        set srcaddr "remote-site-subnets"
        set dstaddr "local-site-subnets"
        set action accept
        set schedule "always"
        set service ALL
    next
    edit 2
        set srcintf <local interface(s)>
        set dstintf "toRemoteSite"
        set srcaddr "local-site-subnets"
        set dstaddr "remote-site-subnets"
        set action accept
        set schedule "always"
        set service ALL
    next
end


Verification of Configuration and troubleshooting

- Check the configuration as it is seen by IKE daemon: diag vpn ike config list

- List IKE SA : diag vpn ike gateway list name <Phase1>

- List IPsec SA:  diag vpn tunnel list name <Phase1>

- Check status of all tunnels (equivalent to GUI VPN monitor): get ipsec tunnel list

 

 

Contributors