FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkavin
Staff
Staff
Article Id 213560
Description

 

This article describes that Virtual Private Network (VPN) technology enables users to connect to private networks in a secure way.

 

RFC 6071 describes IPsec (Internet Protocol Security) as a suite of protocols that
provides security to Internet communications at the IP layer.

The most common current use of IPsec is to provide a Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway)

 

FortiGate leverages IPsec VPN to establish secure connectivity with endpoints/devices that support IPsec VPN.

FortiGate offers many variations of IPsec VPN to meet the needs of different environments. As an example, ADVPN, OCVPN, etc. are used in FortiGate environments.

 

Below is a list of resources that can be used to configure and troubleshoot IPSec VPN on FortiGate.

 

Scope

 

FortiGate.

 

Solution

 

IPsec VPN Configuration
                             Title and Links                               Description
Site to Site IPsec VPN setup  How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard).
Basic site-to-site VPN with pre-shared key  Configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.
Site-to-site VPN with digital certificate/signature  Configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate.
Dialup VPN configuration (Connection coming from a FortiGate)  Configuration of dialup IPsec VPN and the dialup client. FortiGate acts as a client on one site and as a concentrator on the other site.
Dialup VPN Hub with multiple phase1 using PSK and IKEv2 How to allow the selection of the correct phase1 when there are multiple Dial-up phase1 set with IKEv2 and PSK authentication.
Dialup VPN configuration for full tunnel (Connection coming from a FortiClient)  IPSec dial-up full tunnel with FortiClient.
Dialup VPN configuration for split-tunnel (Connection coming from a FortiClient)   IPSec dial-up split-tunnel with FortiClient.
IPsec VPN with external DHCP service  Use an external DHCP server to assign IP addresses to the IPsec VPN clients.
Dialup IPsec VPN with certificate authentication  This method includes the option to verify the remote user using a user certificate, instead of a username and password. 
L2TP over IPsec  An example of L2TP over IPsec VPN configuration.
IPsec aggregate  IPsec aggregate for redundancy and traffic load-balancing
Aggregate and redundant VPN  Different topics which provide instructions on configuring aggregate and redundant VPNs.
Differences between Aggressive and Main mode in IPSec VPN configurations  Differences between Aggressive and Main mode in IPSec VPN configurations.
Enable 'Policy-Based IPsec VPN' configuration  How to enable 'Policy-Based IPsec VPN' configuration from GUI.
Setting multiple DNS servers for IPSec dial-up VPN  Steps to configure multiple DNS servers for IPSec dial-up VPN.
DHCP IP address reservation with Dial-up IPsec VPN  DHCP IP address reservation with Dial-up IPsec VPN.
Add multiple user groups in XAUTH in Dial-up IPSEC VPN configuration  Procedure to add multiple user groups in XUTH in dial-up VPN.
Multiple IPSec dial-up connections from the same source IP  How to make FortiGate allow multiple IPSec dial-up VPN connections coming from the same source IP address.
NAT-traversal comparison between site-to-site and dial-up 'dynamic'tunnels 

The difference in the behaviour of static and dynamic tunnels when there is a device performing NAT between the IPsec peers.

Limiting the maximum number of dial-up VPN tunnels allowed per VDOM  How to configure and check the maximum number of dial-up VPN tunnels allowed per VDOM.
IPSec VPN nattraversal (NAT-T)  nat-traversal (NAT-T) options available under the phase1 settings of an IPsec tunnel.
IPSec and default route  IPSec and default route. 
Forward Error Correction for IPsec VPN  Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth. More details are provided in the KB article.
IPSec VPN in HA Environment  IPSec Configuration in HA environment.
Restricting IPs to connect to a VPN IPsec  How to restrict remote IPs that can negotiate a VPN IPsec connection.
MTU override of IPsec VPN interface  From v6.4.0, a user can override the MTU of an IPSec VPN Interface.
Site-to-site VPN with overlapping subnets  Configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates.
Dynamic routing (BGP) over IPsec tunnel  Settings required to enable dynamic routing (BGP here) over an IPsec static tunnel.
OSPF with IPSec VPN for network redundancy  OSPF with IPSec VPN for redundancy.
Dynamic dial-up VPN with OSPF  Configure OSPF over dynamic IPSEC VPN.
Fortinet Auto Discovery VPN (ADVPN)  Fortinet Auto Discovery VPN (ADVPN) configuration and details.
Full mesh OCVPN  How to configure a full mesh Overlay Controller VPN (OCVPN), establishing full-mesh IPsec tunnels between all of the FortiGates.
Simple OCVPN deployment  This article demonstrates the deployment of OCVPN (Overlay Controller Virtual Private Network).
SD-WAN integration with OCVPN  OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members.
Configure IPsec VPN with SD-WAN  Integration of IPsec VPN with SD-WAN to manage IPsec traffic flow and Redundancy using the SD-WAN rule.
SD-WAN primary and backup IPsec tunnel Scenario  SD-WAN primary and backup IPsec tunnel Scenario.
SD-WAN with DDNS type IPsec  How to have an IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as the remote site does not have a static IP address and uses the ddns feature).
IKE and IPSec SA rekey for ADVPN shortcut tunnels for IKEv1 and IKEv2  The behavior of FortiOS when SA rekey happens for phase1 and phase2 on FortiGate.
IPsec VPN Phase 1 Process - Aggressive Mode   Process on how IPsec VPN is established in Phase 1 - Aggressive Mode.
Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a Fortigate  Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a FortiGate.
Behavior of custom IKE port   How the parameter 'set ike-port' under config system settings works in v7.0.
VXLAN over IPsec for multiple VLANs using software switch This article describes how to configure VXLAN over IPsec for multiple VLANs.
Configure IPsec tunnel from Hub to Spokes where 2 or more spokes have overlapping subnets This article describes the steps to configure IPsec tunnels from Hub to Spokes where 2 or more spokes have overlapping subnets.
Unable to create policy-based IPSEC VPN in FortiOS 7.6
This article describes the issue of being unable to create a policy-based IPSEC VPN in FortiOS 7.6 GUI and the workaround.
How to configure IPsec VPN Tunnel using IKE v2 This article describes how to configure IPsec VPN Tunnel using IKE v2.
Hard timeout for Dialup IPSEC VPN Tunnel

This article describes how to force the Dialup IPsec client to re-authenticate after a configured time and failure to do so would lead to disconnecting from the VPN.

 

 

IPSec VPN Troubleshooting
                             Title and Links                              Description
Troubleshoot IPsec Site-to-Site Tunnel Connectivity   How to troubleshoot basic IPsec tunnel issues and understand how to collect data required by TAC to investigate the VPN issues.
Troubleshooting IPsec VPNs   Techniques on how to identify, debug and troubleshoot IPsec VPN tunnels.
IPSec VPN diagnostics – Deep analysis   How to debug IPSec VPN connectivity issues and information on the troubleshooting process.
IPSec VPN Diagnostics – Possible reasons   Some common challenges of IPsec VPN.
Understanding VPN related logs  Understanding VPN related logs.
IPsec related diagnose commands  IPsec related diagnose commands.
Different methods to capture packets for IPsec VPN tunnels troubleshooting  How to capture IPsec VPN tunnel packets using FortiGate's CLI tool for troubleshooting.
IPsec VPN is up but the network is not reachable  IPsec VPN is up but the network is not reachable.
IPSEC Tunnel (debugging IKE)   How to approach the debugs when troubleshooting IKE on IPSEC Tunnel.
IPsec VPN tunnel errors due to traffic not matching selectors   How to troubleshoot IPsec VPN tunnel errors due to traffic not matching selectors. 'No matching IPsec selector, drop'.
IPSEC VPN down due to Error INVALID_KE_PAYLOAD   The solution to solve the Error 'processing notify type INVALID_KE_PAYLOAD' received on the IKE debug.
Not able to ping the IPsec VPN remote peer network   How to ping remote network connected via IPsec VPN.
Troubleshooting IPsec VPN tunnel errors with large size packets   How to identify and troubleshoot VPN tunnel errors due to large size packets. 'txe' or 'errors' incrementing on the VPN tunnel interface.
L2TP in IPsec connectivity issues   Possible issues when trying to establish L2TP in IPsec with Windows VPN client.
Radius authentication troubleshooting with IPsec Dialup VPN  Radius authentication troubleshooting with IPsec Dialup VPN.
LDAP authentication troubleshooting with IPsec VPN Dialup  LDAP authentication troubleshooting with IPsec VPN Dialup.
IPSEC VPN - Invalid ESP packet detected (HMAC validation failed)   IPSEC VPN - Invalid ESP packet detected (HMAC validation failed)
FortiGate is not sending IKE negotiation for newly configured tunnel   This article describes when FortiGate is not sending at least initial IKE negotiation packets on the debug or sniffer output.
Inbound IPsec traffic dropped due to layer 2 padding   In some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine could drop ESP packets due to a large amount of layer 2 padding.
VPN (ESP) traffic dropped due to NP6 PBA leak.   How to resolve ESP traffic being dropped due to a PBA leak
Decrypt ESP packets.   How to decrypt captured Encapsulated Security Payload (ESP) packets initiated or terminated on Fortigate using Wireshark.
ESP Packets are not blocked by local-in policy.   How local-in policy is behaving with ingress ESP packets and why ESP Packets are not blocked by local-in policy.
Explanation of the Event Log error 'Invalid ESP packet detected' Explanation of the Event Log error 'Invalid ESP packet detected'.
How to convert IKE debug to PCAP   How to convert IKE debug to PCAP.
IKEv2 IPSec tunnel: TS_UNACCEPTABLE error is observed in IKE debugs
Common issue when building IPSec tunnels with vendor devices, ex: Cisco/Meraki/Juniper etc. TS_UNACCEPTABLE error in IKE debugs when IKEv2 is used.
IKE v2 traffic selector narrowing   IKE v2 traffic selector narrowing.
Enable policy route lookup for local-out IKE traffic   How to configure FortiGate to verify policy routing as well for local-out IKE negotiations.
IPv4 address exhaustion in ike mode-cfg   What to do when endpoint units cannot suddenly connect to their IPsec dial-up VPN. 'ike: could not allocate IPv4 address'.
How to check if Diffie-Hellman(DH) group is the same on both peer units   How to check if Diffie-Hellman(DH) group is the same on both peer units.
Static route for IPsec VPN shows gateway configured 
How FortiGate is selecting a gateway for static routes via IPsec VPN tunnel starting v7.0.
The IPsec VPN tunnel not coming up, with debug message 'ignoring IKE request, interface is administr... This article explains why the debug error message appears when the IPsec tunnel is not going up.


List of Resource Lists: Technical Tip: FortiGate Resource Lists