FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiSteve_FTNT
Description
The following article will detail how to create an interface-based IPsec VPN. Interface-based VPN's can be easier to manage, as well as troubleshoot, compared to traditional IPsec VPN configuration method.
 
When the VPN is created with a virtual tunnel interface, this interface will be treated like any other physical interface on the unit, and will display in the list of interfaces on the unit. This virtual interface will become useful when defining routes, as well as defining address objects.

Solution

The creation of a interface-based VPN can be broken down into four steps:

1. The creation of your Phase1 and Phase2, ensuring that the Phase1 has been created in 'Interface Mode'
2. Creating an address object for the remote LAN, with the 'interface' defined as the VPN tunnel interface.
3. A static route for the remote LAN, with the 'device' defined as the tunnel interface.
4. Policies to allow the traffic. (VPN>internal, internal>VPN)

To begin, you will first need to create your Phase1, as per the tunnel parameters:
 
FD34522_img01.jpg 
 
When creating the Phase1, be sure to check 'Enable IPsec Interface Mode'. The new tunnel interface will not be created until you have finished your Phase1 parameters, so create everything as you normally would, and be sure to define your 'Local interface' as the external interface that the remote peer will connect to.
 
Once your Phase1 is complete, it will show up in your IPsec list as 'Interface Mode', as opposed to 'Tunnel Mode':
 
FD34522_img02.jpg 
 
Next, you will create your Phase 2, ensuring that the newly created Phase 1 is defined:
 
FD34522_img03.jpg 
 
Once these have been created, you will now create your Address Objects. Because the VPN is in Interface Mode, you can create an address object for the remote peer's LAN, with the 'interface' defined as the Phase1:
 
FD34522_img04.jpg 
 
You may also create an address object for your local LAN, with the 'interface' defined as you internal interface.
 
Next, you will create a static route for the remote LAN, with the 'device' defined as the VPN tunnel interface:
 
FD34522_img05.jpg 
 
Ensure that this route has the same distance/priority as your default route; otherwise, traffic destined for this network may take your default route, as opposed to the tunnel interface.

Once these first three steps have been completed, the only thing left to do is create policies to allow the traffic. You will create two policies, both with an action of 'ACCEPT'. The policies will be as follows:

Source Interface/Zone: VPN Tunnel Interface
Source Address: Remote LAN
Destination Interface/Zone: internal
Destination Address: Local LAN
Schedule: always
Service: ANY
Action: ACCEPT

Source Interface/Zone: internal
Source Address: Local LAN
Destination Interface/Zone: VPN Tunnel Interface
Destination Address: Remote LAN
Schedule: always
Service: ANY
Action: ACCEPT
 
FD34522_img06.jpg 
 
If you are not overlapping subnets, NAT will not be necessary.

Once you have completed these steps, you will be able to go to VPN > Monitor > IPsec and bring up the tunnel.


Contributors