Created on 06-01-2022 12:44 AM Edited on 10-28-2024 07:43 AM By Jean-Philippe_P
This article describes that Virtual Private Network (VPN) technology enables users to connect to private networks in a secure way.
RFC 6071 describes IPsec (Internet Protocol Security) as a suite of protocols that
provides security to Internet communications at the IP layer.
The most common current use of IPsec is to provide a Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway)
FortiGate leverages IPsec VPN to establish secure connectivity with endpoints/devices that support IPsec VPN.
FortiGate offers many variations of IPsec VPN to meet the needs of different environments. As an example, ADVPN, OCVPN, etc. are used in FortiGate environments.
Below is a list of resources that can be used to configure and troubleshoot IPSec VPN on FortiGate.
Scope
FortiGate.
IPsec VPN Configuration |
Title and Links | Description |
Site to Site IPsec VPN setup | How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard). |
Basic site-to-site VPN with pre-shared key | Configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key. |
Site-to-site VPN with digital certificate/signature | Configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. |
Dialup VPN configuration (Connection coming from a FortiGate) | Configuration of dialup IPsec VPN and the dialup client. FortiGate acts as a client on one site and as a concentrator on the other site. |
Dialup VPN Hub with multiple phase1 using PSK and IKEv2 | How to allow the selection of the correct phase1 when there are multiple Dial-up phase1 set with IKEv2 and PSK authentication. |
Dialup VPN configuration for full tunnel (Connection coming from a FortiClient) | IPSec dial-up full tunnel with FortiClient. |
Dialup VPN configuration for split-tunnel (Connection coming from a FortiClient) | IPSec dial-up split-tunnel with FortiClient. |
IPsec VPN with external DHCP service | Use an external DHCP server to assign IP addresses to the IPsec VPN clients. |
Dialup IPsec VPN with certificate authentication | This method includes the option to verify the remote user using a user certificate, instead of a username and password. |
L2TP over IPsec | An example of L2TP over IPsec VPN configuration. |
IPsec aggregate | IPsec aggregate for redundancy and traffic load-balancing |
Aggregate and redundant VPN | Different topics which provide instructions on configuring aggregate and redundant VPNs. |
Differences between Aggressive and Main mode in IPSec VPN configurations | Differences between Aggressive and Main mode in IPSec VPN configurations. |
Enable 'Policy-Based IPsec VPN' configuration | How to enable 'Policy-Based IPsec VPN' configuration from GUI. |
Setting multiple DNS servers for IPSec dial-up VPN | Steps to configure multiple DNS servers for IPSec dial-up VPN. |
DHCP IP address reservation with Dial-up IPsec VPN | DHCP IP address reservation with Dial-up IPsec VPN. |
Add multiple user groups in XAUTH in Dial-up IPSEC VPN configuration | Procedure to add multiple user groups in XUTH in dial-up VPN. |
Multiple IPSec dial-up connections from the same source IP | How to make FortiGate allow multiple IPSec dial-up VPN connections coming from the same source IP address. |
NAT-traversal comparison between site-to-site and dial-up 'dynamic'tunnels |
The difference in the behaviour of static and dynamic tunnels when there is a device performing NAT between the IPsec peers. |
Limiting the maximum number of dial-up VPN tunnels allowed per VDOM | How to configure and check the maximum number of dial-up VPN tunnels allowed per VDOM. |
IPSec VPN nattraversal (NAT-T) | nat-traversal (NAT-T) options available under the phase1 settings of an IPsec tunnel. |
IPSec and default route | IPSec and default route. |
Forward Error Correction for IPsec VPN | Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth. More details are provided in the KB article. |
IPSec VPN in HA Environment | IPSec Configuration in HA environment. |
Restricting IPs to connect to a VPN IPsec | How to restrict remote IPs that can negotiate a VPN IPsec connection. |
MTU override of IPsec VPN interface | From v6.4.0, a user can override the MTU of an IPSec VPN Interface. |
Site-to-site VPN with overlapping subnets | Configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates. |
Dynamic routing (BGP) over IPsec tunnel | Settings required to enable dynamic routing (BGP here) over an IPsec static tunnel. |
OSPF with IPSec VPN for network redundancy | OSPF with IPSec VPN for redundancy. |
Dynamic dial-up VPN with OSPF | Configure OSPF over dynamic IPSEC VPN. |
Fortinet Auto Discovery VPN (ADVPN) | Fortinet Auto Discovery VPN (ADVPN) configuration and details. |
Full mesh OCVPN | How to configure a full mesh Overlay Controller VPN (OCVPN), establishing full-mesh IPsec tunnels between all of the FortiGates. |
Simple OCVPN deployment | This article demonstrates the deployment of OCVPN (Overlay Controller Virtual Private Network). |
SD-WAN integration with OCVPN | OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members. |
Configure IPsec VPN with SD-WAN | Integration of IPsec VPN with SD-WAN to manage IPsec traffic flow and Redundancy using the SD-WAN rule. |
SD-WAN primary and backup IPsec tunnel Scenario | SD-WAN primary and backup IPsec tunnel Scenario. |
SD-WAN with DDNS type IPsec | How to have an IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as the remote site does not have a static IP address and uses the ddns feature). |
IKE and IPSec SA rekey for ADVPN shortcut tunnels for IKEv1 and IKEv2 | The behavior of FortiOS when SA rekey happens for phase1 and phase2 on FortiGate. |
IPsec VPN Phase 1 Process - Aggressive Mode | Process on how IPsec VPN is established in Phase 1 - Aggressive Mode. |
Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a Fortigate | Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a FortiGate. |
Behavior of custom IKE port | How the parameter 'set ike-port' under config system settings works in v7.0. |
VXLAN over IPsec for multiple VLANs using software switch | This article describes how to configure VXLAN over IPsec for multiple VLANs. |
Configure IPsec tunnel from Hub to Spokes where 2 or more spokes have overlapping subnets | This article describes the steps to configure IPsec tunnels from Hub to Spokes where 2 or more spokes have overlapping subnets. |
Unable to create policy-based IPSEC VPN in FortiOS 7.6 |
This article describes the issue of being unable to create a policy-based IPSEC VPN in FortiOS 7.6 GUI and the workaround. |
How to configure IPsec VPN Tunnel using IKE v2 | This article describes how to configure IPsec VPN Tunnel using IKE v2. |
Hard timeout for Dialup IPSEC VPN Tunnel |
This article describes how to force the Dialup IPsec client to re-authenticate after a configured time and failure to do so would lead to disconnecting from the VPN. |
IPSec VPN Troubleshooting |
Title and Links | Description |
Troubleshoot IPsec Site-to-Site Tunnel Connectivity | How to troubleshoot basic IPsec tunnel issues and understand how to collect data required by TAC to investigate the VPN issues. |
Troubleshooting IPsec VPNs | Techniques on how to identify, debug and troubleshoot IPsec VPN tunnels. |
IPSec VPN diagnostics – Deep analysis | How to debug IPSec VPN connectivity issues and information on the troubleshooting process. |
IPSec VPN Diagnostics – Possible reasons | Some common challenges of IPsec VPN. |
Understanding VPN related logs | Understanding VPN related logs. |
IPsec related diagnose commands | IPsec related diagnose commands. |
Different methods to capture packets for IPsec VPN tunnels troubleshooting | How to capture IPsec VPN tunnel packets using FortiGate's CLI tool for troubleshooting. |
IPsec VPN is up but the network is not reachable | IPsec VPN is up but the network is not reachable. |
IPSEC Tunnel (debugging IKE) | How to approach the debugs when troubleshooting IKE on IPSEC Tunnel. |
IPsec VPN tunnel errors due to traffic not matching selectors | How to troubleshoot IPsec VPN tunnel errors due to traffic not matching selectors. 'No matching IPsec selector, drop'. |
IPSEC VPN down due to Error INVALID_KE_PAYLOAD | The solution to solve the Error 'processing notify type INVALID_KE_PAYLOAD' received on the IKE debug. |
Not able to ping the IPsec VPN remote peer network | How to ping remote network connected via IPsec VPN. |
Troubleshooting IPsec VPN tunnel errors with large size packets | How to identify and troubleshoot VPN tunnel errors due to large size packets. 'txe' or 'errors' incrementing on the VPN tunnel interface. |
L2TP in IPsec connectivity issues | Possible issues when trying to establish L2TP in IPsec with Windows VPN client. |
Radius authentication troubleshooting with IPsec Dialup VPN | Radius authentication troubleshooting with IPsec Dialup VPN. |
LDAP authentication troubleshooting with IPsec VPN Dialup | LDAP authentication troubleshooting with IPsec VPN Dialup. |
IPSEC VPN - Invalid ESP packet detected (HMAC validation failed) | IPSEC VPN - Invalid ESP packet detected (HMAC validation failed) |
FortiGate is not sending IKE negotiation for newly configured tunnel | This article describes when FortiGate is not sending at least initial IKE negotiation packets on the debug or sniffer output. |
Inbound IPsec traffic dropped due to layer 2 padding | In some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine could drop ESP packets due to a large amount of layer 2 padding. |
VPN (ESP) traffic dropped due to NP6 PBA leak. | How to resolve ESP traffic being dropped due to a PBA leak |
Decrypt ESP packets. | How to decrypt captured Encapsulated Security Payload (ESP) packets initiated or terminated on Fortigate using Wireshark. |
ESP Packets are not blocked by local-in policy. | How local-in policy is behaving with ingress ESP packets and why ESP Packets are not blocked by local-in policy. |
Explanation of the Event Log error 'Invalid ESP packet detected' | Explanation of the Event Log error 'Invalid ESP packet detected'. |
How to convert IKE debug to PCAP | How to convert IKE debug to PCAP. |
IKEv2 IPSec tunnel: TS_UNACCEPTABLE error is observed in IKE debugs |
Common issue when building IPSec tunnels with vendor devices, ex: Cisco/Meraki/Juniper etc. TS_UNACCEPTABLE error in IKE debugs when IKEv2 is used. |
IKE v2 traffic selector narrowing | IKE v2 traffic selector narrowing. |
Enable policy route lookup for local-out IKE traffic | How to configure FortiGate to verify policy routing as well for local-out IKE negotiations. |
IPv4 address exhaustion in ike mode-cfg | What to do when endpoint units cannot suddenly connect to their IPsec dial-up VPN. 'ike: could not allocate IPv4 address'. |
How to check if Diffie-Hellman(DH) group is the same on both peer units | How to check if Diffie-Hellman(DH) group is the same on both peer units. |
Static route for IPsec VPN shows gateway configured |
How FortiGate is selecting a gateway for static routes via IPsec VPN tunnel starting v7.0. |
The IPsec VPN tunnel not coming up, with debug message 'ignoring IKE request, interface is administr... | This article explains why the debug error message appears when the IPsec tunnel is not going up. |
List of Resource Lists: Technical Tip: FortiGate Resource Lists
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.