Technical Tip: FortiGate IPSec VPN Resource List

pkavin · ‎06-01-2022

Description

This article describes that Virtual Private Network (VPN) technology enables users to connect to private networks in a secure way.

RFC 6071 describes IPsec (Internet Protocol Security) as a suite of protocols that
provides security to Internet communications at the IP layer.

The most common current use of IPsec is to provide a Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway)

FortiGate leverages IPsec VPN to establish secure connectivity with endpoints/devices that support IPsec VPN.

FortiGate offers many variations of IPsec VPN to meet the needs of different environments. As an example, ADVPN, OCVPN, etc. are used in FortiGate environments.

Below is a list of resources that can be used to configure and troubleshoot IPSec VPN on FortiGate.

Scope

FortiGate.

Solution

IPsec VPN Configuration

Title and Links	Description
Site to Site IPsec VPN setup	How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard).
Basic site-to-site VPN with pre-shared key	Configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.
Site-to-site VPN with digital certificate/signature	Configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate.
Dialup VPN configuration (Connection coming from a FortiGate)	Configuration of dialup IPsec VPN and the dialup client. FortiGate acts as a client on one site and as a concentrator on the other site.
Dialup VPN Hub with multiple phase1 using PSK and IKEv2	How to allow the selection of the correct phase1 when there are multiple Dial-up phase1 set with IKEv2 and PSK authentication.
Dialup VPN configuration for full tunnel (Connection coming from a FortiClient)	IPSec dial-up full tunnel with FortiClient.
Dialup VPN configuration for split-tunnel (Connection coming from a FortiClient)	IPSec dial-up split-tunnel with FortiClient.
IPsec VPN with external DHCP service	Use an external DHCP server to assign IP addresses to the IPsec VPN clients.
Dialup IPsec VPN with certificate authentication	This method includes the option to verify the remote user using a user certificate, instead of a username and password.
L2TP over IPsec	An example of L2TP over IPsec VPN configuration.
IPsec aggregate	IPsec aggregate for redundancy and traffic load-balancing
Aggregate and redundant VPN	Different topics which provide instructions on configuring aggregate and redundant VPNs.
Differences between Aggressive and Main mode in IPSec VPN configurations	Differences between Aggressive and Main mode in IPSec VPN configurations.
Enable 'Policy-Based IPsec VPN' configuration	How to enable 'Policy-Based IPsec VPN' configuration from GUI.
Setting multiple DNS servers for IPSec dial-up VPN	Steps to configure multiple DNS servers for IPSec dial-up VPN.
DHCP IP address reservation with Dial-up IPsec VPN	DHCP IP address reservation with Dial-up IPsec VPN.
Add multiple user groups in XAUTH in Dial-up IPSEC VPN configuration	Procedure to add multiple user groups in XUTH in dial-up VPN.
Multiple IPSec dial-up connections from the same source IP	How to make FortiGate allow multiple IPSec dial-up VPN connections coming from the same source IP address.
NAT-traversal comparison between site-to-site and dial-up 'dynamic'tunnels	The difference in the behaviour of static and dynamic tunnels when there is a device performing NAT between the IPsec peers.
Limiting the maximum number of dial-up VPN tunnels allowed per VDOM	How to configure and check the maximum number of dial-up VPN tunnels allowed per VDOM.
IPSec VPN nattraversal (NAT-T)	nat-traversal (NAT-T) options available under the phase1 settings of an IPsec tunnel.
IPSec and default route	IPSec and default route.
Forward Error Correction for IPsec VPN	Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth. More details are provided in the KB article.
IPSec VPN in HA Environment	IPSec Configuration in HA environment.
Restricting IPs to connect to a VPN IPsec	How to restrict remote IPs that can negotiate a VPN IPsec connection.
MTU override of IPsec VPN interface	From v6.4.0, a user can override the MTU of an IPSec VPN Interface.
Site-to-site VPN with overlapping subnets	Configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates.
Dynamic routing (BGP) over IPsec tunnel	Settings required to enable dynamic routing (BGP here) over an IPsec static tunnel.
OSPF with IPSec VPN for network redundancy	OSPF with IPSec VPN for redundancy.
Dynamic dial-up VPN with OSPF	Configure OSPF over dynamic IPSEC VPN.
Fortinet Auto Discovery VPN (ADVPN)	Fortinet Auto Discovery VPN (ADVPN) configuration and details.
Full mesh OCVPN	How to configure a full mesh Overlay Controller VPN (OCVPN), establishing full-mesh IPsec tunnels between all of the FortiGates.
Simple OCVPN deployment	This article demonstrates the deployment of OCVPN (Overlay Controller Virtual Private Network).
SD-WAN integration with OCVPN	OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members.
Configure IPsec VPN with SD-WAN	Integration of IPsec VPN with SD-WAN to manage IPsec traffic flow and Redundancy using the SD-WAN rule.
SD-WAN primary and backup IPsec tunnel Scenario	SD-WAN primary and backup IPsec tunnel Scenario.
SD-WAN with DDNS type IPsec	How to have an IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as the remote site does not have a static IP address and uses the ddns feature).
IKE and IPSec SA rekey for ADVPN shortcut tunnels for IKEv1 and IKEv2	The behavior of FortiOS when SA rekey happens for phase1 and phase2 on FortiGate.
IPsec VPN Phase 1 Process - Aggressive Mode	Process on how IPsec VPN is established in Phase 1 - Aggressive Mode.
Configuring more than one Main-Mode Pre-Shared Key (PSK) dialup IPSec phase1 on a Fortigate	Configuring more than one Main-Mode Pre-Shared Key (PSK) dialup IPSec phase1 on a FortiGate.
Behavior of custom IKE port	How the parameter 'set ike-port' under config system settings works in v7.0.
VXLAN over IPsec for multiple VLANs using software switch	This article describes how to configure VXLAN over IPsec for multiple VLANs.
Configure IPsec tunnel from Hub to Spokes where 2 or more spokes have overlapping subnets	This article describes the steps to configure IPsec tunnels from Hub to Spokes where 2 or more spokes have overlapping subnets.
Unable to create policy-based IPSEC VPN in FortiOS 7.6	This article describes the issue of being unable to create a policy-based IPSEC VPN in FortiOS 7.6 GUI and the workaround.
How to configure IPsec VPN Tunnel using IKE v2	This article describes how to configure IPsec VPN Tunnel using IKE v2.
Hard timeout for Dialup IPSEC VPN Tunnel	This article describes how to force the Dialup IPsec client to re-authenticate after a configured time and failure to do so would lead to disconnecting from the VPN.

IPSec VPN Troubleshooting

Title and Links	Description
Troubleshoot IPsec Site-to-Site Tunnel Connectivity	How to troubleshoot basic IPsec tunnel issues and understand how to collect data required by TAC to investigate the VPN issues.
Troubleshooting IPsec VPNs	Techniques on how to identify, debug and troubleshoot IPsec VPN tunnels.
IPSec VPN diagnostics – Deep analysis	How to debug IPSec VPN connectivity issues and information on the troubleshooting process.
IPSec VPN Diagnostics – Possible reasons	Some common challenges of IPsec VPN.
Understanding VPN related logs	Understanding VPN related logs.
IPsec related diagnose commands	IPsec related diagnose commands.
Different methods to capture packets for IPsec VPN tunnels troubleshooting	How to capture IPsec VPN tunnel packets using FortiGate's CLI tool for troubleshooting.
IPsec VPN is up but the network is not reachable	IPsec VPN is up but the network is not reachable.
IPSEC Tunnel (debugging IKE)	How to approach the debugs when troubleshooting IKE on IPSEC Tunnel.
IPsec VPN tunnel errors due to traffic not matching selectors	How to troubleshoot IPsec VPN tunnel errors due to traffic not matching selectors. 'No matching IPsec selector, drop'.
IPSEC VPN down due to Error INVALID_KE_PAYLOAD	The solution to solve the Error 'processing notify type INVALID_KE_PAYLOAD' received on the IKE debug.
Not able to ping the IPsec VPN remote peer network	How to ping remote network connected via IPsec VPN.
Troubleshooting IPsec VPN tunnel errors with large size packets	How to identify and troubleshoot VPN tunnel errors due to large size packets. 'txe' or 'errors' incrementing on the VPN tunnel interface.
L2TP in IPsec connectivity issues	Possible issues when trying to establish L2TP in IPsec with Windows VPN client.
Radius authentication troubleshooting with IPsec Dialup VPN	Radius authentication troubleshooting with IPsec Dialup VPN.
LDAP authentication troubleshooting with IPsec VPN Dialup	LDAP authentication troubleshooting with IPsec VPN Dialup.
IPSEC VPN - Invalid ESP packet detected (HMAC validation failed)	IPSEC VPN - Invalid ESP packet detected (HMAC validation failed)
FortiGate is not sending IKE negotiation for newly configured tunnel	This article describes when FortiGate is not sending at least initial IKE negotiation packets on the debug or sniffer output.
Inbound IPsec traffic dropped due to layer 2 padding	In some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine could drop ESP packets due to a large amount of layer 2 padding.
VPN (ESP) traffic dropped due to NP6 PBA leak.	How to resolve ESP traffic being dropped due to a PBA leak
Decrypt ESP packets.	How to decrypt captured Encapsulated Security Payload (ESP) packets initiated or terminated on Fortigate using Wireshark.
ESP Packets are not blocked by local-in policy.	How local-in policy is behaving with ingress ESP packets and why ESP Packets are not blocked by local-in policy.
Explanation of the Event Log error 'Invalid ESP packet detected'	Explanation of the Event Log error 'Invalid ESP packet detected'.
How to convert IKE debug to PCAP	How to convert IKE debug to PCAP.
IKEv2 IPSec tunnel: TS_UNACCEPTABLE error is observed in IKE debugs	Common issue when building IPSec tunnels with vendor devices, ex: Cisco/Meraki/Juniper etc. TS_UNACCEPTABLE error in IKE debugs when IKEv2 is used.
IKE v2 traffic selector narrowing	IKE v2 traffic selector narrowing.
Enable policy route lookup for local-out IKE traffic	How to configure FortiGate to verify policy routing as well for local-out IKE negotiations.
IPv4 address exhaustion in ike mode-cfg	What to do when endpoint units cannot suddenly connect to their IPsec dial-up VPN. 'ike: could not allocate IPv4 address'.
How to check if Diffie-Hellman(DH) group is the same on both peer units	How to check if Diffie-Hellman(DH) group is the same on both peer units.
Static route for IPsec VPN shows gateway configured	How FortiGate is selecting a gateway for static routes via IPsec VPN tunnel starting v7.0.
The IPsec VPN tunnel not coming up, with debug message 'ignoring IKE request, interface is administr...	This article explains why the debug error message appears when the IPsec tunnel is not going up.

List of Resource Lists: Technical Tip: FortiGate Resource Lists