Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Complex IPsec configurations

Hello,

Can someone show me some examples of complex IPsec configurations like the following:

a. Multiple phase 2 SAs under the same IKE SA depending on IP subnet pair. For example, the address pair 10.0.0.0/24 <-> 10.0.1.0/24 with AES256/SHA1 and the address pair 10.0.0.0/24 <-> 10.0.2.0/24 with 3DES/MD5.

b. Multiple phase 2 SAs under the same IKE SA depending on protocol. Fort example, 10.0.0.0/24<->10.0.1.0/23 port 23 with AES256/SHA1 and same address pair at port 53 with 3DES/MD5.

 

Is it possible to achieve these configurations with the GUI or with CLI only?

 

Thanks

Andreas

1 REPLY 1
emnoc
Esteemed Contributor III

Yes and that not complex in any means of shape ;) Here's multiple  ASA-PH2 with a unique dst-subnet

 

 

config vpn ipsec phase1-interface    edit "FGT2MAcontext2"         set interface "wan1"         set dhgrp 2         set proposal aes256-sha1         set remote-gw 1.1.1.6         set psksecret ImSoSecuredHaHaha!         set keepalive 30     next end   config vpn ipsec phase2-interface    edit "FGT2MAcontext2-P2-1"         set auto-negotiate enable         set pfs disable         set phase1name "FGT2MAcontext2"         set proposal aes256-sha1         set replay disable         set dst-subnet 10.200.41.67 255.255.255.255         set keylifeseconds 3600         set src-subnet 192.168.254.0 255.255.255.0     next   edit "FGT2MAcontext2-P2-2"         set auto-negotiate enable         set pfs disable         set phase1name "FGT2MAcontext2"         set proposal aes256-sha1         set replay disable         set dst-subnet 10.200.40.67 255.255.255.255         set keylifeseconds 3600         set src-subnet 192.168.254.0 255.255.255.0     next end config router static     edit 55         set device "FGT2MAcontext2"         set dst 10.200.41.67 255.255.255.255     next         edit 56         set device "FGT2MAcontext2"         set dst 10.200.40.67 255.255.255.255     next end http://socpuppet.blogspot...inet-fortigate-to.html

 

PCNSE 

NSE 

StrongSwan