| Description | This article describes configuration about policy-based IPsec tunnel with FortiGate's GUI where both sides have static IP. |
| Scope | FortiGate. |
| Solution |
Steps to configure policy-based IPsec tunnel:
Configure FotiGate1. Step 1:
Step 2:
Go to VPN -> IPsec select Create new and name the tunnel. Select Custom and Next. Uncheck the check box 'Enable IPsec Interface Mode'.
Step 3:
Configure Phase1 and Phase2:
Step 4:
Create a new policy Policy & Objects -> Firewall Policy. Select Create new. Specify incoming port (LAN) and outgoing port (interface to which the tunnel is attached). Specify source and destination. Select Action as 'IPsec' and select the tunnel created earlier from the dropdown menu.
If needed, enable 'Allow traffic to be initiated from the remote site'. By default, the tunnel is initiated from the local network. When the option 'Allow traffic to be initiated from the remote site' is enabled traffic from the remote VPN peer network can also initiate the tunnel. Both options can be activated simultaneously for bi-directional tunnel initiation.
In most cases the IPsec tunnel will be configured with the internet (WAN) facing interface, in that case default route will be already configured, so no extra route needs to be configured.
Step 5:
Configure FortiGate2 following the same steps. Remote firewall can be also configured in interface-based mode or policy-based IPsec VPN (vice-versa) on either side.
Troubleshooting: Flow debug example:
diag debug flow trace start 999
Sniffer example:
diag sniffer packet any 'host 192.168.100.2 and host 192.168.200.2 and icmp' 4 0 l
Tip: There are some limitations to using a policy-based IPsec tunnel. SSL VPN interface cannot be used with policy-based IPsec tunnels. If this is a requirement consider using a Route (Interface) Based VPN. |
