- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't create VPN Policy-Based Mode in FortiOS 5.4
I have a new FG 200D with v5.4.0,build1011.
I need to create a Policy-Based Mode VPN to create to an old site.
My problem is I can't find the option in the phase 1 IPsec to specify the type of VPN although I turned od the Feature "Policy-based IPsec VPN".
Other problem is that if I use the "Create" button on VPN > IPsec Tunnel it always open the VPN creation wizard.
And if try to change the VPN created by the wizard I can't see any option to change the VPN mode.
Could you help me or give me some doc link.
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much Mac!
I have already set the Policy-base IPsec vpn feature (now it is on) but when I use the wizard to create the VPN I have no option to define the Policy Mode.
Could you send me a snapshot to show me where is the option (flag or menu) to set the mode.
Thank you again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved:
I have the VPN Policy-Based Mode option if I create the new policy and at the beginning of the wizard I choose custom.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
i need the same solution
how did you find the policy based option? can you snapshot the location? thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This needs to be done in the exact sequence:
1. enable the "Policy-based VPN" feature (System > Feature Select)
2. start the VPN wizard, choose "Custom"
in the top rows, there is an option "Interface Based", already checked. Uncheck it.
In the CLI you will find the phase1 in "config vpn ipsec phase1" instead of "config vpn ipsec phase1-interface".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you
i see that
but how do i setup a rule for it to control what's allowed and so on
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You just create a policy, with action = "IPSEC" instead of "ACCEPT". Source and destination address objects define the phase2 Quick Mode selectors. You can probably check "allow inbound" and "allow outbound" in the policy as well.
Heck, who's using policy-mode VPN anymore? There are very very rare cases like VPN in Transparent mode which justify it. The remote VPN gateway should never have anything to do with it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to enable "Policy Based VPN" in the "Feature Select" part of the System Configuration.