Description
This article explains the configuration of site to site VPN where both sites have a static public IP on the WAN interface.
It covers both wizard and manual configuration.
Scope
FortiGate v6.2 or higher.
Solution
The following are the IP address information for both FortiGates.
| Device |
FortiGate - I |
FortiGate - II |
| Wan IP | 172.25.176.62 | 172.25.177.46 |
| LAN IP | 192.168.65.0/24 | 192.168.13.0/24 |
FortiGate: I Configuration.
To create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.
Select the Template Type as Site to Site, the 'Remote Device Type' as FortiGate, and select NAT Configuration as No NAT between sites.
To create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.
Select the Template Type as Site to Site, the 'Remote Device Type' as FortiGate, and select NAT Configuration as No NAT between sites.
Select 'Next' to move to the Authentication part.
In the Authentication step, set IP Address to the WAN IP address of the remote FortiGate (in the example, 172.25.177.46).
In the Authentication step, set IP Address to the WAN IP address of the remote FortiGate (in the example, 172.25.177.46).
After the WAN IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface should be used, this needs to be selected from the drop-down menu.
Set a secure Pre-shared Key (PSK). The remote peer can also be authenticated via a certificate, as explained here.
In the Policy & Routing step, set Local Interface to LAN.
The wizard adds the local subnet automatically.
Set Remote Subnets to the Branch network’s subnet (in the example, 192.168.13.0/24).
Set Internet Access to None.
Set Internet Access to None.
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
The wizard automatically configures the phase2 selectors, firewall address groups, firewall addresses, static routes, blackhole routes and firewall policies.
To view the VPN interface created by the wizard, go to Network -> Interfaces.
To view the firewall addresses created by the wizard, go to Policy & Objects - > Addresses.
To view the routes created by the wizard, go to Network -> Static Routes.
Note:
In cases where static routes were not automatically generated when the VPN wizard was not used, it is recommended to manually add a static route to the remote subnet(s) pointing to the tunnel interface and add a blackhole route to prevent VPN traffic from egressing the default route (typically to the public internet) when the VPN tunnel flaps.
Refer to this article: Technical Tip: Use of Blackhole Route in site to site IPsec VPN scenarios
To view the policies created by the wizard, go to Policy & Objects -> IPv4 Policy.
FortiGate: II Configuration.
To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT Configuration to No NAT between sites.
To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT Configuration to No NAT between sites.
In the Authentication step, set IP Address to the WAN IP address of FGT-I (in the example, 172.25.176.62).
After the IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
After the IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface needs to be used, select it from the drop-down menu.
Set the same secure Pre-shared Key (PSK) that was used for the VPN on FortiGate-I.
Note:
Make sure the remote public IP is reachable via the interface (in the example wan1).
Command to verify :
get router info routing-table details x.x.x.x <----- x.x.x.x is the public of the remote site.
In the Policy & Routing step, set Local Interface to LAN. The wizard adds the local subnet automatically. Set Remote Subnets to the HQ network’s subnet (in the example, 192.168.65.0/24).
Set Internet Access to 'None'.
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
To bring the VPN tunnel up, go to Monitor -> IPsec Monitor. Select 'Status' and select Bring Up.
There is an option to enable auto-negotiation so that phase2 selectors will always stay up which is explained in the attached article.
From FortiOS 7.6.x the GUI layout has changed:
FortiGate: Configuration:
Navigate to 'VPN Tunnels' from the Firewall GUI
Select IPsec tunnel from the template and choose 'Site to Site'.
Select 'Begin' at the bottom of the GUI
Select the appropriate option in this section for 'Authentication Method', 'IKE' version, 'Transport', 'NAT Traversal', etc.
The 'Transport' option is new at v7.6.x and it is available for IKE version 2.
Move to the next section to configure the Remote Gateway and Remote Subnet.
Select 'next' and move to the next section.
In this section, the 'Outgoing interface', 'Local interface', and 'Local subnets that can access VPN' is configured. Select 'Next'.
After Review the configuration template can be submitted.
The Configuration is complete and once the remote side configuration is done correctly the tunnel is expected to come up and actively pass encrypted traffic.
Verification:
To verify if the LAN subnets can reach each other over the VPN tunnel, initiate an ICMP echo from either side.
Troubleshooting:
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:
Debug commands:
diag vpn tunnel list
diag vpn ike filter clear
diag vpn ike log-filter dst-addr4 x.x.x.x <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
Debugs for v7.4.x and v7.6.x firmware version:
diag debug reset
diag vpn ike filter clear
diag vpn ike log filter rem-addr4 x.x.x.x {x.x.x.x} <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
To Stop the debugs logs:
diag debug disable
diag debug reset
Open another CLI and run the packet capture commands below.
Packet capture:
diag sniffer packet any "host <x.x.x.x> and port 500 or port 4500" 4 0 a <----- Where x.x.x.x is the WAN IP of the remote site.
Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):
diagnose vpn tunnel up “vpn_tunnel_nam <----- Where 'vpn_tunnel_name' is the phase1 name of the respective VPN tunnel.
Once the debugs are collected, stop the debug with the command:
diag debug disable
diag debug reset
Attach the complete output to the ticket along with the config files of both the FortiGates.
Related documents:
Technical Note: Use of Black hole route in site to site IPsec VPN scenarios
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Troubleshooting Tip: IPsec VPNs tunnels
Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
Technical Note: Dynamic routing (BGP) over IPsec tunnel
Technical Tip: OSPF with IPSec VPN for network redundancy
Technical Tip: Dynamic dial-up VPN with OSPF
Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: Simple OCVPN deployment
Technical Tip: SD-WAN integration with OCVPN
Technical Tip: Configure IPsec VPN with SD-WAN
Technical Tip: SD-WAN with DDNS type IPsec
Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
Note:
Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.
