Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hgarara
Staff
Staff

Created on ‎10-07-2024 07:57 AM Edited on ‎06-19-2025 09:37 AM By Moderator

Article Id 344847

Technical Tip: How to configure policy-based IPsec VPN Tunnel

Description This article describes the configuration of a policy-based IPsec tunnel with FortiGate's GUI, where both sides have static IP.
Scope FortiGate operating in NGFW mode, Profile-based.
Solution

Steps to configure policy-based IPsec tunnel:

 

KCS_TOPOLOGY.png

 

Configure FotiGate1.

Step 1:
Enable 'Policy based IPsec VPN' under System -> Feature Visibility.

 
 

feature.png

 

Step 2:

 

In the CLI, create the Policy-Based VPN (Creating Policy-Based VPN in no longer supported in the GUI):

For example:

 

config vpn ipsec phase1

    edit "test-ipsec"

        set interface "port2"

        set peertype any

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 1.2.3.4

        set psksecret ENC

    next

end

config vpn ipsec phase2

    edit "test-ipsec"

        set phase1name "test-ipsec"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

    next

end

 

Step 3:

 

Create a new policy, Policy & Objects -> Firewall Policy. Select Create new. Specify the incoming port (LAN) and the outgoing port (interface to which the tunnel is attached). Specify source and destination. Select Action as 'IPsec' and select the tunnel created earlier from the dropdown menu.

 

policy.png

 

If needed, enable 'Allow traffic to be initiated from the remote site'. By default, the tunnel is initiated from the local network. When the option 'Allow traffic to be initiated from the remote site' is enabled, traffic from the remote VPN peer network can also initiate the tunnel. Both options can be activated simultaneously for bi-directional tunnel initiation.

 

In most cases, the IPsec tunnel will be configured with the internet (WAN) facing interface; in that case default route will already be configured, so no extra route needs to be configured.


Note: 
If the tunnel is not showing in the VPN tunnel list, one possible cause is that the destination interface in the firewall policy and the source interface in the VPN tunnel were not the same.   

Step 4:

Configure FortiGate2 following the same steps.

Remote firewall can also be configured in interface-based mode or policy-based IPsec VPN (vice-versa) on either side.

 

Troubleshooting: 

Flow debug example:


diagnose debug reset
diagnose debug flow filter addr 192.168.200.2
diagnose debug flow filter proto 1
diagnose debug console timestamp enable

diagnose debug flow trace start 999
diagnose debug enable

 

debugs.png

 

Sniffer example: 

 

diagnose sniffer packet any 'host 192.168.100.2 and host 192.168.200.2 and icmp' 4 0 l

 

sniffer.png

 

Tip: There are some limitations to using a policy-based IPsec tunnel.  

SSL VPN interface cannot be used with policy-based IPsec tunnels. If this is a requirement consider using a Route (Interface) Based VPN.

 

Note:

If the FortiGate's NGFW mode is set to Policy-based, 'Policy-based IPsec VPN' is not available under 'Feature visibility', and VPN can only be configured as a Route-based VPN.

 

Related document:
Types of VPNs
5984
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.