Purpose
This article provides an example of how to set up WanOpt on IPsec tunnel.
Scope
FortiGate or VDOM in NAT mode
Example given for FortiOS 5.0 and above
Diagram
Host-PC
[10.126.2.22]
|
|
[10.126.0.107]
FGT_111C WanOpt Client
[10.166.0.107]
(1.1.1.1)-IPSEC/WANOPT
|
|
(1.1.1.2)-IPSEC/WANOPT
[10.166.1.37]
FGT_3040B WanOpt Server
[10.127.1.37]
|
|
[10.127.0.204]
HTTP_Server
Expectations, Requirements
To build WanOpt tunnel on IPsec
Configuration
##### FGT1 #####
edit "wan2"
set vdom "root"
set ip 10.166.0.107 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 2
set secondary-IP enable
end
edit "ClientOpt"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https ssh snmp http telnet fgfm capwap
set type tunnel
set remote-ip 1.1.1.2
set snmp-index 7
set interface "wan2"
end
config vpn ipsec phase1-interface
edit "ClientOpt"
set interface "wan2"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.166.1.37
set psksecret ENC SsbSGeiplH/YT8lMUnEeB9JgHHJHTgQ41rcwwmKRoA8A5RLqM4SQN/Qld8s24HzifrCiRT0HCwhWVrqaEotrhu+tBMPOUAVg9hTJ5mwOxP3v6tKPX+XwsjRwkUB2nAx+3ms/Qvb3WDSBU7J0aUFfAfihqRyLkYaeuzVGvaH4E6S1VBqUtK+kfv/+woqYaoVTkiayjQ==
next
end
config vpn ipsec phase2-interface
edit "ClientOpt_phase2"
set phase1name "ClientOpt"
set proposal 3des-sha1 aes128-sha1
next
end
config router static
edit 2
set device "ClientOpt"
set dst 10.127.0.0 255.255.252.0
next
### configuring wanopt ###
config wanopt storage
edit "HDD1"
set size 36055
next
end
config wanopt settings
set host-id "Client_Fgt"
end
config wanopt peer
edit "Server_Fgt"
set ip 1.1.1.2
next
end
config wanopt profile
edit "default"
set comments "default WANopt profile"
config http
set status enable
end
next
end
##### FGT2 #####
config system interface
edit "port9"
set vdom "root"
set ip 10.166.1.37 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 12
next
edit "ServerOpt"
set vdom "root"
set ip 1.1.1.2 255.255.255.255
set allowaccess ping https ssh snmp http telnet fgfm capwap
set type tunnel
set remote-ip 1.1.1.1
set snmp-index 28
set interface "port9"
next
config vpn ipsec phase1-interface
edit "ServerOpt"
set interface "port9"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.166.0.107
set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg==
next
end
config vpn ipsec phase2-interface
edit "ServerOpt_phase2"
set phase1name "ServerOpt"
set proposal 3des-sha1 aes128-sha1
next
end
config router static
edit 3
set device "ServerOpt"
set dst 10.126.0.0 255.255.252.0
next
config wanopt storage
edit "FSM1"
set size 36055
next
end
config wanopt settings
set host-id "Server_Fgt"
end
config wanopt peer
edit "Client_Fgt"
set ip 1.1.1.1
next
end
config wanopt profile
edit "default"
set comments "default WANopt profile"
next
end
config firewall policy
edit 4
set srcintf "ServerOpt"
set dstintf "port12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set profile-protocol-options "default"
next
Verification
# get test wad 26
name: Client_Fgt, vd: 0, ip: 1.1.1.1 ref: 21 type:manual
traffic:
client: LAN in:0, LAN out:0, WAN in:0, WAN out:0
gateway: LAN in:7344074, LAN out:711111, WAN in:778574, WAN out:2576190
client 0x2a98983078, server 0x2a98983098
version=2 tunnels(active/connecting/failover/passive)=0/0/0/203
ssl tunnels active/connecting/passive)=0/0/0
sessions=0 n_retries=0 version_valid=true
total peers: 1, manual peers: 1 auto peers: 0
