FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amarinos_FTNT
Article Id 229596

Description

 

This article explains how to use static IPSec tunnels with FGSP.

 

Scope

 

FortiGate, FGSP IPSEC static tunnel configuration and explanation for all FortiOS versions.

 

Solution

 

Static tunnels with FGSP configuration require set passive-mode enable in the IPSec configuration to function correctly.

 

If an IPSec tunnel is negotiating with a remote peer as the initiator, but IPSec does not know which end is the master or the slave, problems occur since the negotiation comes from the same IP.


Note that passive mode is only for phase1 (IKE SA). As long as IKE SA is up, traffic can be forwarded from both sides. If the remote peer supports IPSec as an initiator, the IPSec service will not be impacted after the negotiation. If IPSec is up, the tunnel can be kept up indefinitely and used for forwarding traffic.

 

The following is an example configuration for static IPSec:


config vpn ipsec phase1-interface
    edit "IPSec"
        set interface "outside"
        set ike-version 2
        set local-gw 10.10.10.10
        set authmethod signature
        set proposal aes256-sha256
        set localid "ipsec.fortinet.local"
        set localid-type fqdn
        set dhgrp 14
        set passive-mode enable
        set remote-gw 10.20.20.20
        set certificate "ipsec@fortinet.local-cert "
        set peer "fortinet.local.root"
    next
end
config vpn ipsec phase2-interface
    edit "IPSec"
        set phase1name "IPSec"
        set proposal aes256-sha256
        set dhgrp 14
        set replay disable
        set src-subnet 192.168.1.0 255.255.255.0
        set dst-subnet 172.16.0.0 255.255.255.0
    next
end