Hello,
Can someone show me some examples of complex IPsec configurations like the following:
a. Multiple phase 2 SAs under the same IKE SA depending on IP subnet pair. For example, the address pair 10.0.0.0/24 <-> 10.0.1.0/24 with AES256/SHA1 and the address pair 10.0.0.0/24 <-> 10.0.2.0/24 with 3DES/MD5.
b. Multiple phase 2 SAs under the same IKE SA depending on protocol. Fort example, 10.0.0.0/24<->10.0.1.0/23 port 23 with AES256/SHA1 and same address pair at port 53 with 3DES/MD5.
Is it possible to achieve these configurations with the GUI or with CLI only?
Thanks
Andreas
Yes and that not complex in any means of shape ;) Here's multiple ASA-PH2 with a unique dst-subnet
config vpn ipsec phase1-interface edit "FGT2MAcontext2" set interface "wan1" set dhgrp 2 set proposal aes256-sha1 set remote-gw 1.1.1.6 set psksecret ImSoSecuredHaHaha! set keepalive 30 next end config vpn ipsec phase2-interface edit "FGT2MAcontext2-P2-1" set auto-negotiate enable set pfs disable set phase1name "FGT2MAcontext2" set proposal aes256-sha1 set replay disable set dst-subnet 10.200.41.67 255.255.255.255 set keylifeseconds 3600 set src-subnet 192.168.254.0 255.255.255.0 next edit "FGT2MAcontext2-P2-2" set auto-negotiate enable set pfs disable set phase1name "FGT2MAcontext2" set proposal aes256-sha1 set replay disable set dst-subnet 10.200.40.67 255.255.255.255 set keylifeseconds 3600 set src-subnet 192.168.254.0 255.255.255.0 next end config router static edit 55 set device "FGT2MAcontext2" set dst 10.200.41.67 255.255.255.255 next edit 56 set device "FGT2MAcontext2" set dst 10.200.40.67 255.255.255.255 next end http://socpuppet.blogspot...inet-fortigate-to.html
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1771 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.