Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
smkml
Staff
Staff

Created on ‎12-30-2024 11:27 PM

Article Id 367493

Technical Tip: Add IPsec Phase 2 Selectors from FortiManager

Description

 

This article describes how to add Phase 2 Selectors from FortiManager in the Device Database Level since VPN Manager does not support this option.

 

Scope

 

FortiManager.

 

Solution

 

Configuring IPsec using VPN Manager in Hub and Spoke Topology will only create a single Phase 1 interface and a single Phase 2 interface for each tunnel.  

 

spoke and hub topology.png

FGT-HUB $ config vpn ipsec phase1-interface
FGT-HUB (phase1-interface) $ edit "test_4"
FGT-HUB (test_4) $ set interface "port1"
FGT-HUB (test_4) $ set comments "[created by FMG VPN Manager]"
FGT-HUB (test_4) $ set proposal aes128-sha256 aes256-sha256
FGT-HUB (test_4) $ set keylife 28800
FGT-HUB (test_4) $ set peertype any
FGT-HUB (test_4) $ set remote-gw 10.47.3.197
FGT-HUB (test_4) $ set net-device disable
FGT-HUB (test_4) $ set add-gw-route enable
FGT-HUB (test_4) $ set psksecret *********************
FGT-HUB (test_4) $ next

 

FGT-HUB $ config vpn ipsec phase2-interface
FGT-HUB (phase2-interface) $ edit "test_4_0"
FGT-HUB (test_4_0) $ set phase1name "test_4"
FGT-HUB (test_4_0) $ set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 aes128gcm aes256gcm chacha20poly1305
FGT-HUB (test_4_0) $ set comments "[created by FMG VPN Manager]"
FGT-HUB (test_4_0) $ set keylifeseconds 1800
FGT-HUB (test_4_0) $ next

 

In VPN Manager, there is no option to add Phase 2 Selectors as per FortiGate. Go to FortiGate, VPN -> IPsec Tunnels -> Select tunnel -> Phase 2 Selectors  and select 'Add':

 

add phase 2 selectors in FGT.gif

This option can be done from Device Manager instead after the tunnel are created from the VPN Manager, using a GUI and also a Scripts.

 

  1. Using Device Manager GUI: In FortiManager, go under Device Manager -> Device & Group -> Managed FortiGate -> Select FortiGate -> VPN -> IPsec Phase 2 -> Select existing Phase 2 -> Right Click and Select Clone -> Add the information, for example the Local Address and Remote Address and select 'OK'.

 

add phase 2 selectors using DVM GUI.gif

Check on Install Preview and proceed to install, Confirm on FortiGate the Phase 2 Selectors are added.

 

install from FMG DVM GUI.gif

  1. Using a Scripts in Device Manager: Create a Scripts in Device Manager -> Scripts -> Create New -> Script -> Run Scripts on Device Database.

 

DVM scripts.png

 

Run Script to a specific device and perform an install, confirmed on FortiGate the Phase 2 Selectors are added.

install from FMG DVM Scripts.gif

45
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.