Technical Tip: 'set net-device' new route-based IPsec logic

sha-1_FTNT · ‎06-28-2018

Description

This article describes that, as of v5.6.3 and v6.0, a new behavior is implemented for route-based IPsec dialup tunnels.

As of v6.2.1, this behavior is implemented for ADVPN shortcuts.

Scope

Dialup phase1 :

v5.6.3 and above.
v6.0 and above.

This option is removed from v7.0.0 and above.

Static phase1 (for ADVPN shortcuts):

v6.2.1 and above.

This option is removed from FortiOS 7.0.0 and above.

Solution

This behavior is controlled by two new CLI settings:

config vpn ipsec phase1-interface
    edit <ph1-name>
         set type { dynamic | static }
         set net-device { disable* | enable }
         set tunnel-search { selectors* | nexthop }
         ( ... )
end

These settings and the corresponding behaviors are detailed in the PDF file available in the Attachments section.

Note:

These commands are valid for versions that are no longer supported. Make sure to follow the recommendations in the more recent guides available for the supported firmware versions: Upgrade Path Tool Table Product LifeCycle information

Related articles:

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Note: Dynamic routing (BGP) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy