Technical Tip: How to use exchange-interface-IP in IPsec Tunnel

This article describes how it is possible to use exchange-interface-IP feature on FortiGate IPsec tunnel configuration.

FortiGate.

Scenario:

It is configured overlay IP on the IPSEC site-to-site tunnel, and it is not possible to see the remote virtual interface address on FGT B when running diag vpn ike gateway list.

FGT A:

FGT_1 (root) # diag vpn ike gateway list

vd: root/0

name: SiteA-to-SiteB

version: 1

interface: port1 3

addr: 10.47.2.86:500 -> 10.47.1.80:500

tun_id: 10.47.1.80/::10.47.1.80

remote_location: 0.0.0.0

network-id: 0

virtual-interface-addr: 1.1.1.1 -> 1.1.1.2

created: 2028s ago

IKE SA: created 1/1  established 1/1  time 0/0/0 ms

IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

 id/spi: 42 3a5806a029430704/38637eb460746826

 direction: initiator

 status: established 2028-2028s ago = 0ms

 proposal: aes128-sha256

 key: fc443e8594fa5be2-eae13f4db24b4d78

 lifetime/rekey: 86400/84071

 DPD sent/recv: 000000b1/00000000

FGT B:

FGT2 # diag vpn ike gateway list

vd: root/0

name: SiteB-to-SiteA

version: 1

interface: port1 3

addr: 10.47.1.80:500 -> 10.47.2.86:500

tun_id: 10.47.1.42/::10.47.1.42

remote_location: 0.0.0.0

virtual-interface-addr: 1.1.1.2 -> 0.0.0.0

created: 5s ago

IKE SA: created 1/1  established 1/1  time 3010/3010/3010 ms

IPsec SA: created 0/0

id/spi: 88 c1718e324764386b/d65d4e488943caa3

direction: responder

status: established 5-2s ago = 3010ms

proposal: aes128-sha256

key: c5a5f3d03a2b9d54-ee76ddcb919e6e3d

lifetime/rekey: 86400/86127

DPD sent/recv: 00000000/00000000

Solution:

FGT A:

FGT_1 (root) # config vpn ipsec phase1-interface

FGT_1 (phase1-interface) # edit SiteA-to-SiteB

FGT_1 (SiteA-to-SiteB) # set exchange-interface-ip enable

FGT_1 (SiteA-to-SiteB) # end

FGT B:

FGT2 # config vpn ipsec phase1-interface

FGT2 (phase1-interface) # edit SiteB-to-SiteA

FGT2 (SiteB-to-SiteA) # set exchange-interface-ip enable

FGT2 (SiteB-to-SiteA) # end

Result:

FGT A:

FGT_1 (root) # diag vpn ike gateway list

vd: root/0

name: SiteA-to-SiteB

version: 1

interface: port1 3

addr: 10.47.2.86:500 -> 10.47.1.80:500

tun_id: 10.47.1.80/::10.47.1.80

remote_location: 0.0.0.0

network-id: 0

virtual-interface-addr: 1.1.1.1 -> 1.1.1.2

created: 248s ago

IKE SA: created 1/2  established 1/2  time 0/1505/3010 ms

IPsec SA: created 1/3  established 1/3  time 0/3/10 ms

id/spi: 44 dd252f768a70b65c/da730f5822a63bd0

direction: responder

status: established 62-62s ago = 0ms

proposal: aes128-sha256

key: cf2043f5089e030c-a3786083706517b7

lifetime/rekey: 86400/86067

DPD sent/recv: 00000000/00000000

FGT B:

FGT2 # diag vpn ike gateway list

vd: root/0

name: SiteB-to-SiteA

version: 1

interface: port1 3

addr: 10.47.1.80:500 -> 10.47.2.86:500

tun_id: 10.47.1.42/::10.47.1.42

remote_location: 0.0.0.0

virtual-interface-addr: 1.1.1.2 -> 1.1.1.1

created: 30s ago

IKE SA: created 1/1  established 1/1  time 3010/3010/3010 ms

IPsec SA: created 0/1  established 0/1  time 0/0/0 ms

id/spi: 89 dd252f768a70b65c/da730f5822a63bd0

direction: initiator

status: established 30-27s ago = 3010ms

proposal: aes128-sha256

key: cf2043f5089e030c-a3786083706517b7

lifetime/rekey: 86400/86072

DPD sent/recv: 00000000/00000000