FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ftesta_FTNT
Staff
Staff
Article Id 193103

Purpose
This article provides an example of how to set up WanOpt on IPsec tunnel.

Scope
    FortiGate or VDOM in NAT mode
    Example given for FortiOS 5.0 and above

Diagram
Host-PC
[10.126.2.22]
|
|
[10.126.0.107]
FGT_111C WanOpt Client
[10.166.0.107]
(1.1.1.1)-IPSEC/WANOPT
|
|
(1.1.1.2)-IPSEC/WANOPT
[10.166.1.37]
FGT_3040B WanOpt Server
[10.127.1.37]
|
|
[10.127.0.204]
HTTP_Server
Expectations, Requirements
To build WanOpt tunnel on IPsec



Configuration
##### FGT1 #####
   
edit "wan2"
        set vdom "root"
        set ip 10.166.0.107 255.255.252.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 2
        set secondary-IP enable
end

 edit "ClientOpt"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping https ssh snmp http telnet fgfm capwap
        set type tunnel
        set remote-ip 1.1.1.2
        set snmp-index 7
        set interface "wan2"
end

config vpn ipsec phase1-interface
    edit "ClientOpt"
        set interface "wan2"
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 10.166.1.37
        set psksecret ENC SsbSGeiplH/YT8lMUnEeB9JgHHJHTgQ41rcwwmKRoA8A5RLqM4SQN/Qld8s24HzifrCiRT0HCwhWVrqaEotrhu+tBMPOUAVg9hTJ5mwOxP3v6tKPX+XwsjRwkUB2nAx+3ms/Qvb3WDSBU7J0aUFfAfihqRyLkYaeuzVGvaH4E6S1VBqUtK+kfv/+woqYaoVTkiayjQ==
    next
end

config vpn ipsec phase2-interface
    edit "ClientOpt_phase2"
        set phase1name "ClientOpt"
        set proposal 3des-sha1 aes128-sha1
    next
end


config router static
    edit 2
        set device "ClientOpt"
        set dst 10.127.0.0 255.255.252.0
    next

### configuring wanopt ###

config wanopt storage
    edit "HDD1"
        set size 36055
    next
end
config wanopt settings
    set host-id "Client_Fgt"
end
config wanopt peer
    edit "Server_Fgt"
        set ip 1.1.1.2
    next
end

config wanopt profile
    edit "default"
        set comments "default WANopt profile"
            config http
                set status enable
            end
    next
end


#####  FGT2 #####

config system interface
    edit "port9"
        set vdom "root"
        set ip 10.166.1.37 255.255.252.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 12
    next

    edit "ServerOpt"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set allowaccess ping https ssh snmp http telnet fgfm capwap
        set type tunnel
        set remote-ip 1.1.1.1
        set snmp-index 28
        set interface "port9"
    next

config vpn ipsec phase1-interface
    edit "ServerOpt"
        set interface "port9"
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 10.166.0.107
        set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg==
    next
end

config vpn ipsec phase2-interface
    edit "ServerOpt_phase2"
        set phase1name "ServerOpt"
        set proposal 3des-sha1 aes128-sha1
    next
end

config router static
    edit 3
        set device "ServerOpt"
        set dst 10.126.0.0 255.255.252.0
    next


config wanopt storage
    edit "FSM1"
        set size 36055
    next
end

config wanopt settings
    set host-id "Server_Fgt"
end
config wanopt peer
    edit "Client_Fgt"
        set ip 1.1.1.1
    next
end
config wanopt profile
    edit "default"
        set comments "default WANopt profile"
    next
end


config firewall policy
    edit 4
        set srcintf "ServerOpt"
        set dstintf "port12"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set application-list "default"
        set profile-protocol-options "default"
    next

Verification
# get test wad 26
name: Client_Fgt, vd: 0, ip: 1.1.1.1 ref: 21 type:manual
traffic:
client: LAN in:0, LAN out:0, WAN in:0, WAN out:0
gateway: LAN in:7344074, LAN out:711111, WAN in:778574, WAN out:2576190
client 0x2a98983078, server 0x2a98983098
version=2 tunnels(active/connecting/failover/passive)=0/0/0/203
ssl tunnels active/connecting/passive)=0/0/0
sessions=0 n_retries=0 version_valid=true
total peers: 1, manual peers: 1 auto peers: 0