Description | This article describes configuring an IPsec tunnel between 2 FortiGates using loopback interfaces. |
Scope | FortiGate v6.4, v7.0, v7.2,7.4, v7.6. |
Solution |
Configuration:
FG-1 Loopback interface :
edit "loopback_FG1" set vdom "root" set ip 10.10.9.1 255.255.255.255 set allowaccess ping https http set type loopback set role lan set snmp-index 16 set ip-managed-by-fortiipam disable next
FG-1 static route for remote IPsec bound to loopback on FG-2:
edit 1 set dst 10.10.11.1 255.255.255.255 set gateway 192.168.1.113 set device "port1" next
FG-1 firewall rules allow the traffic from loopback loopback_FG1 to port1 and vice versa, only ESP (proto 50) and IKE (UDP 500) are allowed, if NAT-T is used then UDP 4500 needs to be added.
edit 2 set name "Traffic_for_loopback_IPSEC" set uuid f5a16342-7b79-51ef-6e44-02c65af6bb78 set srcintf "loopback_FG1" "port1" set dstintf "loopback_FG1" "port1" set action accept set srcaddr "h-10.10.11.1-32" "h-10.10.9.1-32" set dstaddr "h-10.10.9.1-32" "h-10.10.11.1-32" set schedule "always" set service "ESP" "IKE" next
FG-1 IPsec phase-1 configuration :
config vpn ipsec phase1-interface set proposal aes128-sha256 next
FG-2 Loopback interface :
edit "loopback_FG2" set vdom "root" set ip 10.10.11.1 255.255.255.255 set allowaccess ping https ssh snmp http fgfm ftm set type loopback set role lan set snmp-index 16 set ip-managed-by-fortiipam disable
FG-2 static route for remote IPsec bound to loopback on FG-1:
edit 1 set dst 10.10.9.1 255.255.255.255 set gateway 192.168.1.117 set device "port1"
10.10.9.1 is the Loopback interface in the FG-1 FG-2 firewall rules allow the traffic from loopback loopback_FG2 to port1 and vice versa, only ESP (proto 50) and IKE (UDP 500) are allowed, if NAT-T is used then UDP 4500 needs to be added.
edit 1 set name "Loopback_traffic" set uuid f36aa980-7bce-51ef-b6ec-5fb2dd7121d3 set srcintf "loopback_FG2" "port1" set dstintf "loopback_FG2" "port1" set action accept set srcaddr "h-10.10.9.1-32" "h-10.10.11.1-32" set dstaddr "h-10.10.11.1-32" "h-10.10.9.1-32" set schedule "always" set service "ESP" "IKE" next
FG-1 IPsec phase-1 configuration:
config vpn ipsec phase1-interface next
Like every IPsec tunnel, there are also added Firewall rules from the local encryption domain towards the remote encryption domain and static routes.
FG-1 Static route and firewall rule for the IPsec traffic:
edit 2 set dst 192.168.200.0 255.255.255.0 set device "IPsec_to_FG2" next edit 3 set name "IPsec_rules" set uuid ef3a8ed8-7b7a-51ef-3a3c-ef366951d68d set srcintf "IPsec_to_FG2" "port2" set dstintf "IPsec_to_FG2" "port2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next
FG-2 Static route and firewall rule for the IPsec traffic:
edit 4 set dst 192.168.201.0 255.255.255.0 set device "IPsec_to_FG1" next edit 2 set name "IPsec_rule" set uuid 72a34e28-7bcf-51ef-586b-9eecbe1fe9e8 set srcintf "port2" "IPsec_to_FG1" set dstintf "IPsec_to_FG1" "port2" set action accept set srcaddr "h-192.168.200.0-24" "h-192.168.201.0-24" set dstaddr "h-192.168.200.0-24" "h-192.168.201.0-24" set schedule "always" set service "ALL" next
FG-1 phase-1/phase-2 status:
vd: root/0 id/spi: 66 ab6676e60cc712c8/95ca53fb7b92420d
name=IPsec_to_FG2 ver=2 serial=2 10.10.9.1:0->10.10.11.1:0 nexthop=192.168.1.113 tun_id=10.10.11.1 tun_id6=::10.10.11.1 status=up dst_mtu=1500 weight=1 proxyid_num=1 child_num=0 refcnt=4 ilast=50234 olast=50234 ad=/0
FG-2 phase-1/phase-2 status:
vd: root/0 id/spi: 48 ab6676e60cc712c8/95ca53fb7b92420d
name=IPsec_to_FG1 ver=2 serial=3 10.10.11.1:0->10.10.9.1:0 nexthop=192.168.1.117 tun_id=10.10.9.1 tun_id6=::10.10.9.1 status=up dst_mtu=1500 weight=1 proxyid_num=1 child_num=0 refcnt=4 ilast=50347 olast=50347 ad=/0
config vpn ipsec phase1-interface edit "IPsec_to_FG2" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 set dpd on-idle set remote-gw 18.74.X.X <- Public remote gateway of FG-2. set psksecret ENC XXXXXXXXXXXX next end
config vpn ipsec phase2-interface edit "IPsec_to_FG2" set phase1name "IPsec_to_FG2" set proposal aes128-sha1 aes256-sha1 set src-subnet 10.10.9.1 255.255.255.255 <- Local Loopback located in FG-1. set dst-subnet 10.10.11.1 255.255.255.255 <- Remote Loopback located in FG-2. next end
config router static edit 2 set dst 10.10.11.1 255.255.255.255 <- Remote Loopback interface of FG-2. set device "IPsec_to_FG2" next end
config vpn ipsec phase1-interface edit "IPsec_to_FG1" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 set dpd on-idle set remote-gw 18.178.X.X <- Public remote gateway of FG-1. set psksecret ENC XXXXXXXXXX next end edit "IPsec_to_FG1" set phase1name "IPsec_to_FG1" set proposal aes128-sha1 aes256-sha1 set src-subnet 10.10.11.1 255.255.255.255 <- Local Loopback interface of FG-2. set dst-subnet 10.10.9.1 255.255.255.255 <- Remote Loopback interface of FG-1. next end
config router static edit 4 set dst 10.10.9.1 255.255.255.255 <- Remote Loopback interface of FG-1. set device "IPsec_to_FG1" next end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.