Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samaly999
New Contributor

FORTIGATE VPN TUNNEL ISSUE (FortiOS v6.4.12 build2060 (GA)

I Need to create VPN tunnel with below mention parameters from (Site A to Site B)

 

Site A is fully configured need to configured (Site B) on fortinet firewall.

 

                                                  SITE A                      SITE B

Termination Equipment (type, OS version, etc…)

Cisco

 

Ike Version

Ike Version 2

 

Encryption Algorithm

AES-256

 

Integrity (hash) algorithm

SHA-256

 

Peer Authentication Method

 

IKE Key exchange parameters (Diffie-Hellman group identifier)

DH-Group 14

 

IKE-established security association’s lifetime (Phase-1)

1800 (Sec)

 

IP address of IPSEC peer

192.168.7.3

192.168.247.122

Local IP Addess(s)

 

Source/Natted/Tunnel IP address will be  10.12.157.98 /32 (Route Base VPN)

DPD (Dead Peer Detection)

20s

 

Phase II

 

 

Encryption Algorithm

AES-256

 

Integrity (hash) algorithm

SHA-256

 

IKE Key exchange parameters (Diffie-Hellman group identifier)

DH-Group 14

 

IKE-established security association’s lifetime (Phase-2)

1800 (Sec)

 

Services Allowed

 

 

Perfect Forward Secrecy

PFS

 

 

 

 

2 Solutions
saneeshpv_FTNT

 

Phase1:

config vpn ipsec phase1-interface
edit "VPN Test"
set interface "port1"
set keylife 1800
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 192.168.7.3
set psksecret ENC piXvQeygHtsE5kTWpQijutWZS+1X0VfMVFCDOXVYZCIXw+hGvkQ==
next
end

 

Phase2:

config vpn ipsec phase2-interface
edit "VPN Test"
set phase1name "VPN Test"
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 1800
set src-subnet x.x.x.x 255.255.255.0             (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0               (y.y.y.y is Local Subnet on Cisco Side)
next
end

 

 

After this you need to create Required policy and Route Configuration to route traffic via IPSec Tunnel.

 

Static Route will be to y.y.y.y/mask with interface 

config router static
edit 1
set dst y.y.y.y 255.255.255.0
set device "VPN Test"
next
end

 

Note: Configuration may slightly vary depending on your setup. 

 

 

View solution in original post

saneeshpv_FTNT

Tunnel IP address (10.12.157.98 /32 ) is not mandatory if you are not planning to run Dynamic Routing Protocol over IPSec Tunnel.

 

I hope this IP 192.168.247.122 is on the Fortigate Firewall interface where IPSec Tunnel terminates. 

 

If the above is still not clear for you, please send me a quick drawing of your intended Setup with IP address & interface details and I can help you with the clarification.

 

View solution in original post

10 REPLIES 10
akristof
Staff
Staff

Hello,

And what is the problem? Tunnel not coming up? Phase1? Phase2?

Adrian
saneeshpv_FTNT

 

Phase1:

config vpn ipsec phase1-interface
edit "VPN Test"
set interface "port1"
set keylife 1800
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 192.168.7.3
set psksecret ENC piXvQeygHtsE5kTWpQijutWZS+1X0VfMVFCDOXVYZCIXw+hGvkQ==
next
end

 

Phase2:

config vpn ipsec phase2-interface
edit "VPN Test"
set phase1name "VPN Test"
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 1800
set src-subnet x.x.x.x 255.255.255.0             (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0               (y.y.y.y is Local Subnet on Cisco Side)
next
end

 

 

After this you need to create Required policy and Route Configuration to route traffic via IPSec Tunnel.

 

Static Route will be to y.y.y.y/mask with interface 

config router static
edit 1
set dst y.y.y.y 255.255.255.0
set device "VPN Test"
next
end

 

Note: Configuration may slightly vary depending on your setup. 

 

 

samaly999

set src-subnet x.x.x.x 255.255.255.0             (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0               (y.y.y.y is Local Subnet on Cisco Side)

i am confuse in 

IP address of IPSEC peer

 

192.168.247.122  

 


(this was use

(internal2)
Physical Interface
 
192.168.247.122/255.255.255.252

Local IP Addess(s)

 

Source/Natted/Tunnel IP address will be  10.12.157.98 /32 (Route Base VPN) 

Where i can use this ? 

saneeshpv_FTNT

Tunnel IP address (10.12.157.98 /32 ) is not mandatory if you are not planning to run Dynamic Routing Protocol over IPSec Tunnel.

 

I hope this IP 192.168.247.122 is on the Fortigate Firewall interface where IPSec Tunnel terminates. 

 

If the above is still not clear for you, please send me a quick drawing of your intended Setup with IP address & interface details and I can help you with the clarification.

 

samaly999

@saneeshpv_FTNT 

Actually this is bit complicated scenario that's why i bit confuse to (Site A location) has sent mai details of connectivity and Site B (Columns  IP address of IPSEC peer & Local IP Addess(s) are provide by Site A)


saneeshpv_FTNT

Based on the scenario the above configuration should suffice to achieve your requirement. Local IP address/Tunnel IP address may not be required if you don't have plans to run Dynamic Routing Protocol like OSPF over IPsec Tunnel. 

 

Please proceed to configure the tunnel and let me know if you face any issue. Make sure you have the Firewall policies and Routing in place to allow traffic through IPsec tunnels

samaly999

next
node_check_object fail! for interface
Attribute 'interface' MUST be set.
Command fail. Return code 1

saneeshpv_FTNT

Please use the correct interface applicable for your setup which I believe is wan1 and not port1. 

samaly999

Thank 

Phase2:
what will be X & Y Ip ? 
 set src-subnet x.x.x.x 255.255.255.0             (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0               (y.y.y.y is Local Subnet on Cisco Side)

Labels
Top Kudoed Authors