Fortigate 70D to 80C IPSEC VPN

rospondek · ‎09-11-2015

I've just got the new FG70D and trying to set connection over IPSEC VPN to other FG80C but I've got a problem.

I've got IPSEC VPN to config (both phases) and it is ok but when trying to set policy to this connection... I can't find IPSEC.

I only have SSL-VPN

Any idea what to do?

My FW is v5.0,build0292 (GA Patch 9) and manual said that I should have this option in there.

ede_pfau · ‎09-11-2015

Hi,

and welcome to the forums.

You created the VPN in "Interface Mode" which is the default. This means that now you have a new virtual interface (port) with the name of your phase1 which you use just like any other port. For instance, to allow traffic from your LAN into the tunnel (or rather: to the remote side) you create a policy from interface "internal" to interface "your_VPN" (whatever your phase1 is named like), with action "accept".

The old style policy-based IPsec VPN (with action "IPSEC" or "ENCRYPT") is still available. When you create the phase1 check the mode as "policy-based". But...this old-fashioned construct is disencouraged. The interface-based VPN is much easier to configure and debug.

So, just use action "ACCEPT" and your VPN connection will start working.

Ede Kernel panic: Aiee, killing interrupt handler!

rospondek · ‎09-11-2015

OK, so after adding allow all from internal to vpn_port it is a little better now. Connection is up but no data transfers between routers. No ping on the internal IP's either.

Tried with NAT and without. No luck.

And I don't have anything bout policy-based on the phase 1 screen. Or I cannot see it :)

------------------

Nope I was wrong. After restart VPN is down again...

I really have no idea what's going on...

rospondek · ‎09-12-2015

OK after over a 10hrs I've got nothing. The connection is set just like the vpn's to other sites. This is the only one not working.

So, what I've got.

Krakow & Slomniki

Address

Krakow - 192.168.0.0/255.255.255.0

Slomniki - 192.168.4.0/255.255.255.0

Krakow - 80C

Slomniki - 70D

Any idea what else? I've triple checked other connections. They're exactly the same and there is instant connection both sides. But other branches are on the 80C as well.

I really have no idea what else I'm missing.

rospondek · ‎09-12-2015

Working now using this video

https://www.youtube.com/watch?v=xVDaRU8iQHY

In a few words. I removed all of the old rules and step by step set up new connection on both sides.

ede_pfau · ‎09-12-2015

Good that you've got it working.

Some notes for others who may find this thread:

The VPN on the 80C was created in "policy mode". Look for the line just below "Advanced" in the phase1 setup page.

One of the (hidden) peculiarities of this mode is the routing to and from the remote network. In short, a route is created "on-the-fly" from the Quick Mode selectors given in phase2, by FortiOS. As depicted, you haven't filled in any specific values for these, and that's why the routing will not work.

I haven't watched the video cited (I prefer reading as I can control the speed then...) but I assume it's demonstrating how to create an "Interface-based" IPsec VPN. To make it work you explicitely create a static route to the remote subnet, just as you had done on the 70D.

To clarify: "policy-based" and "interface-based" IPsec VPNs can communicate with each other without problems. But, for easier configuration and debugging, the "interface-based" VPN setup is strongly recommended for VPNs today.

A last hint: if you have created a "policy-based" phase1 there is no switching back to the other mode - you have to re-create the phase1.

Ede Kernel panic: Aiee, killing interrupt handler!

Fortigate 70D to 80C IPSEC VPN

Nominate a Forum Post for Knowledge Article Creation