Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎09-30-2024 12:40 AM

Article Id 344806

Technical Tip: IPSec between 2 FortiGates using a loopback interface

Description This article describes configuring an IPSec tunnel between 2 FortiGates using loopback interfaces.
Scope FortiGate v6.4, v7.0, v7.2,7.4, v7.6.
Solution loopbac_diagram.PNG

 

  • FG-1 with loopback interface 10.10.9.1.
  • FG-2 with loopback interface 10.10.11.1.
  • The IPSec between both devices will be bound to the loopback interface.
  • Port1 of every of the FortiGates is used for the internet connection.

 

Configuration:

  • Firewall rules are needed on every FortiGate, allowing traffic to/from loopback/port1.
  • Static route for the remote loopback IP on every FortiGate.
  • Rules which allow the traffic to/from local/remote encryption domains.
  • Static route for the remote encryption domain.

 

FG-1 Loopback interface :

 

    edit "loopback_FG1"
       set vdom "root"
       set ip 10.10.9.1 255.255.255.255
       set allowaccess ping https http
       set type loopback
       set role lan
       set snmp-index 16
       set ip-managed-by-fortiipam disable
   next

 

FG-1 static route for remote IPSec bound to loopback on FG-2:

 

    edit 1
        set dst 10.10.11.1 255.255.255.255
        set gateway 192.168.1.113
        set device "port1"
    next

 

FG-1  firewall rules allow the traffic from loopback loopback_FG1 to port1 and vice versa, only ESP (proto 50) and IKE (UDP 500) are allowed, if NAT-T is used then UDP 4500 needs to be added.

 

    edit 2
        set name "Traffic_for_loopback_IPSEC"
        set uuid f5a16342-7b79-51ef-6e44-02c65af6bb78
        set srcintf "loopback_FG1" "port1"
        set dstintf "loopback_FG1" "port1"
        set action accept
        set srcaddr "h-10.10.11.1-32" "h-10.10.9.1-32"
        set dstaddr "h-10.10.9.1-32" "h-10.10.11.1-32"
        set schedule "always"
        set service "ESP" "IKE"
    next

 

FG-1 IPSec phase-1 configuration :

 

config vpn ipsec phase1-interface
    edit "IPsec_to_FG2"
        set interface "loopback_FG1"
        set ike-version 2
        set peertype any
        set net-device disable

     set proposal aes128-sha256 
     set remote-gw 10.10.11.1
     set psksecret XXXX

    next
end

 

FG-2 Loopback interface :

 

    edit "loopback_FG2"
        set vdom "root"
        set ip 10.10.11.1 255.255.255.255
        set allowaccess ping https ssh snmp http fgfm ftm
        set type loopback
        set role lan
        set snmp-index 16
        set ip-managed-by-fortiipam disable
    next

 

FG-2 static route for remote IPSec bound to loopback on FG-1:

 

    edit 1
        set dst 10.10.9.1 255.255.255.255
        set gateway 192.168.1.117
        set device "port1"
    next

 

FG-2  firewall rules allow the traffic from loopback loopback_FG2 to port1 and vice versa, only ESP (proto 50) and IKE (UDP 500) are allowed, if NAT-T is used then UDP 4500 needs to be added.

 

    edit 1
        set name "Loopback_traffic"
        set uuid f36aa980-7bce-51ef-b6ec-5fb2dd7121d3
        set srcintf "loopback_FG2" "port1"
        set dstintf "loopback_FG2" "port1"
        set action accept
        set srcaddr "h-10.10.9.1-32" "h-10.10.11.1-32"
        set dstaddr "h-10.10.11.1-32" "h-10.10.9.1-32"
        set schedule "always"
        set service "ESP" "IKE"
    next

 

FG-1 IPSec phase-1 configuration:

 

config vpn ipsec phase1-interface
    edit "IPsec_to_FG1"
        set interface "loopback_FG2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set remote-gw 10.10.9.1
        set psksecret ENC XXXX

    next
end

 

Like every IPSec tunnel, there are also added Firewall rules from the local encryption domain towards the remote encryption domain and static routes.

 

FG-1 Static route and firewall rule for the IPSec traffic:

 

    edit 2
        set dst 192.168.200.0 255.255.255.0
        set device "IPsec_to_FG2"
    next

    edit 3
        set name "IPSec_rules"
        set uuid ef3a8ed8-7b7a-51ef-3a3c-ef366951d68d
        set srcintf "IPsec_to_FG2" "port2"
        set dstintf "IPsec_to_FG2" "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next

 

FG-2 Static route and firewall rule for the IPSec traffic:

 

    edit 4

        set dst 192.168.201.0 255.255.255.0
        set device "IPsec_to_FG1"
    next

    edit 2
        set name "IPsec_rule"
        set uuid 72a34e28-7bcf-51ef-586b-9eecbe1fe9e8
        set srcintf "port2" "IPsec_to_FG1"
        set dstintf "IPsec_to_FG1" "port2"
        set action accept
        set srcaddr "h-192.168.200.0-24" "h-192.168.201.0-24"
        set dstaddr "h-192.168.200.0-24" "h-192.168.201.0-24"
        set schedule "always"
        set service "ALL"
    next

 

FG-1 phase-1/phase-2 status:

 

vd: root/0
name: IPsec_to_FG2
version: 2
interface: 0
addr: 10.10.9.1:500 -> 10.10.11.1:500
tun_id: 10.10.11.1/::10.10.11.1
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 51312s ago
peer-id: 10.10.11.1
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/2 established 1/1 time 10/10/10 ms
IPsec SA: created 1/4 established 1/3 time 0/0/0 ms

id/spi: 66 ab6676e60cc712c8/95ca53fb7b92420d
direction: responder
status: established 51289-51289s ago = 10ms
proposal: aes128-sha256
child: no
SK_ei: d0551876481f6da6-a0ff7446a19964c2
SK_er: 254d54d4be17e084-a0b0aba1d3f710b5
SK_ai: f2a7df4e691d90c7-c5927297fadda91d-fd30a36b92b6ede4-d63b237f30193836
SK_ar: fafd6c0df23f6cdb-c3c674f6971dfad3-031950961ca2e44b-c7498d752ab6b3d3
PPK: no
message-id sent/recv: 3/6
QKD: no
lifetime/rekey: 86400/34840
DPD sent/recv: 00000000/00000000
peer-id: 10.10.11.1

 

name=IPsec_to_FG2 ver=2 serial=2 10.10.9.1:0->10.10.11.1:0 nexthop=192.168.1.113 tun_id=10.10.11.1 tun_id6=::10.10.11.1 status=up dst_mtu=1500 weight=1
bound_if=0 real_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=50234 olast=50234 ad=/0
stat: rxp=1000 txp=943 rxb=84000 txb=79212
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=10
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPsec_to_FG2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=34535/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=6c2ea39b esp=aes key=16 a71f0120828076bf7de0255ab89056a5
ah=sha1 key=20 01f5764a2d5964102274ba633c4a1c7f47efbf6b
enc: spi=ea345265 esp=aes key=16 de9e1f65afb7122f1e7901a8569accd0
ah=sha1 key=20 0d5aa05d33a759dc4f98d5695c196864c9b9a849
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.10.11.1 npu_lgwy=10.10.9.1 npu_selid=0 dec_npuid=0 enc_npuid=0

 

FG-2  phase-1/phase-2 status:

 

vd: root/0
name: IPsec_to_FG1
version: 2
interface: 0
addr: 10.10.11.1:500 -> 10.10.9.1:500
tun_id: 10.10.9.1/::10.10.9.1
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 51370s ago
peer-id: 10.10.9.1
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/3 established 1/3 time 0/3/10 ms

id/spi: 48 ab6676e60cc712c8/95ca53fb7b92420d
direction: initiator
status: established 51370-51370s ago = 10ms
proposal: aes128-sha256
child: no
SK_ei: d0551876481f6da6-a0ff7446a19964c2
SK_er: 254d54d4be17e084-a0b0aba1d3f710b5
SK_ai: f2a7df4e691d90c7-c5927297fadda91d-fd30a36b92b6ede4-d63b237f30193836
SK_ar: fafd6c0df23f6cdb-c3c674f6971dfad3-031950961ca2e44b-c7498d752ab6b3d3
PPK: no
message-id sent/recv: 6/3
QKD: no
lifetime/rekey: 86400/34729
DPD sent/recv: 00000003/00000003
peer-id: 10.10.9.1

 

name=IPsec_to_FG1 ver=2 serial=3 10.10.11.1:0->10.10.9.1:0 nexthop=192.168.1.117 tun_id=10.10.9.1 tun_id6=::10.10.9.1 status=up dst_mtu=1500 weight=1
bound_if=0 real_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=50347 olast=50347 ad=/0
stat: rxp=943 txp=1000 rxb=79212 txb=84000
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=3
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPsec_to_FG1 proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=34452/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42932/43200
dec: spi=ea345265 esp=aes key=16 de9e1f65afb7122f1e7901a8569accd0
ah=sha1 key=20 0d5aa05d33a759dc4f98d5695c196864c9b9a849
enc: spi=6c2ea39b esp=aes key=16 a71f0120828076bf7de0255ab89056a5
ah=sha1 key=20 01f5764a2d5964102274ba633c4a1c7f47efbf6b
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.10.9.1 npu_lgwy=10.10.11.1 npu_selid=3 dec_npuid=0 enc_npuid=0
113
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.