Fortinet Community

aagrafi · ‎11-07-2017

Hello,

Can someone show me some examples of complex IPsec configurations like the following:

a. Multiple phase 2 SAs under the same IKE SA depending on IP subnet pair. For example, the address pair 10.0.0.0/24 <-> 10.0.1.0/24 with AES256/SHA1 and the address pair 10.0.0.0/24 <-> 10.0.2.0/24 with 3DES/MD5.

b. Multiple phase 2 SAs under the same IKE SA depending on protocol. Fort example, 10.0.0.0/24<->10.0.1.0/23 port 23 with AES256/SHA1 and same address pair at port 53 with 3DES/MD5.

Is it possible to achieve these configurations with the GUI or with CLI only?

Thanks

Andreas

emnoc · ‎11-07-2017

Yes and that not complex in any means of shape ;) Here's multiple ASA-PH2 with a unique dst-subnet

config vpn ipsec phase1-interface edit "FGT2MAcontext2" set interface "wan1" set dhgrp 2 set proposal aes256-sha1 set remote-gw 1.1.1.6 set psksecret ImSoSecuredHaHaha! set keepalive 30 next end config vpn ipsec phase2-interface edit "FGT2MAcontext2-P2-1" set auto-negotiate enable set pfs disable set phase1name "FGT2MAcontext2" set proposal aes256-sha1 set replay disable set dst-subnet 10.200.41.67 255.255.255.255 set keylifeseconds 3600 set src-subnet 192.168.254.0 255.255.255.0 next edit "FGT2MAcontext2-P2-2" set auto-negotiate enable set pfs disable set phase1name "FGT2MAcontext2" set proposal aes256-sha1 set replay disable set dst-subnet 10.200.40.67 255.255.255.255 set keylifeseconds 3600 set src-subnet 192.168.254.0 255.255.255.0 next end config router static edit 55 set device "FGT2MAcontext2" set dst 10.200.41.67 255.255.255.255 next edit 56 set device "FGT2MAcontext2" set dst 10.200.40.67 255.255.255.255 next end http://socpuppet.blogspot...inet-fortigate-to.html

PCNSE

NSE

StrongSwan

Fortinet Community

Complex IPsec configurations

News & Articles

Security Research

Company

Contact Us