Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vvarangoulis
Staff
Staff

Created on ‎09-30-2022 05:23 AM

Article Id 225370

Technical Tip: VPN IPsec tunnel with PPK configuration

Description This article describes how at least the 2 sides of an IPsec tunnel are needed to be configured, for the tunnel to come up.
Scope Basic configuration of an IPsec tunnel between 2 FortiGate with PPK enabled.
Solution

One side of the tunnel needs to be configured as dynamic and the other side as static. The dynamic side needs to have PPK user account information.

# config user local

    edit <name>

        set type password

        set ppk-secret <ASCII string or hexadecimal encoded          with a leading 0x>

    next

end


HUB Firewall - dynamic VPN configuration.

 

# config vpn ipsec phase1-interface
    edit "dynamic_tunnel"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256 <---- This is an example, the proposal can be any and multiple entries but they need to match with the other side of the tunnel.
        set dhgrp 21 <---- This is an example, the DH groups can be any and multiple entries but they need to match with the other side of the tunnel.
        set ppk require
        set ppk-secret ENC PPK secret
        set ppk-identity "identity_1"
        set nattraversal disable
        set ipv4-start-ip 10.10.10.1 <---- This is an example, the DH groups can be any and multiple entries but they need to match with the other side of the tunnel.
        set ipv4-end-ip 10.10.10.2
        set psksecret ENC <---- Preshared key that needs to be matching the other side of the tunnel.
    next
end


Spoke Firewall - static VPN configuration.


# config vpn ipsec phase1-interface
    edit "static_tunnel"
        set interface "wan"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes256-sha256 <--- This is an example, the proposal can be any and multiple entries but they need to match with the other side of the tunnel.
        set dhgrp 21 <---This is an example, the DH groups can be any and multiple entries but they need to match with the other side of the tunnel.
        set ppk require
        set ppk-secret ENC PPK secret
        set ppk-identity "identity_1"
        set nattraversal disable
        set remote-gw "x.x.x.x" <--- Dynamic tunnel remote gw address.
        set psksecret ENC <--- Preshared key that needs to be matching the other side of the tunnel.
    next
end

Troubleshoot.


Check the output of the command:

 

#diagnose vpn ike gateway list


If the tunnel uses the PPK, it will mention it in the output:

vd: root/0
name: dynamic_tunnel
version: 2
.....
PPK: yes
......

Reference documentation:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/110386/defining-ike-negotiation-paramete...
 

 
Labels:
1223
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.