Starting eval of FortiManager and imported two of my Fortigates. Everything pretty straightforward, except the imported IPSec VPN tunnels. I have custom IPSec VPN tunnels created manually for Fortinet > Juniper SSG firewalls.
I can see the imported tunnels under VPN Manager > Monitor and the status is Up.
But how do I modify these imported tunnels or create new tunnels? I do not want tunnel created with a wizard due to it will not work with Juniper Networks SSG firewalls.
The FortiManager I am evaluating is 5.4.1 build 1082
Thanks in Advance!
Joe
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
by default FortiManager (ADOM) not enabled central VPN Manager function, so after a FGT is added, you can find IPSec config at "Device Manager" per device config page in VPN section
Thanks
Simon
Hello
Going back to the original question:
Can we import EXISTING IPsec VPNs into FortiManager? So that FortiManager - VPN Manager - controls all IPSec VPNs in the environment.
If I enable central VPN Manager, looks like I would have to create every tunnel manually.
I have a customer with two clusters with over 30 tunnels, so recreating all tunnels manually is not an option.
Any advise will be appreciate it.
Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.
-- in 5.0/5.2/5.4, FMG does not support mixed VPN config (IPsec interface based VPNs) in 1 ADOM, so after VPN manager enabled, only VPN manager configured VPN will write to device db and install to FGT, but from FMG 5.6.0, we will support mixed config, so can keep your previous FGT VPN config together with your new VPN manager VPNs
Thanks
Simon
5.6 support is not for import existing device db VPN config to FMG VPN manager, but when install new VPN manager VPNs to device, we still can keep the device db ones (for the VPN config which was not installed from VPN manager)
Thanks
Simon
by default FortiManager (ADOM) not enabled central VPN Manager function, so after a FGT is added, you can find IPSec config at "Device Manager" per device config page in VPN section
Thanks
Simon
I finally gave up on FortiManager, it was not really useful for my environment.
But I remember something about you must change the view config to add seeing other portions, such as IPsec VPN, etc. I don't remember exactly how now, sorry!
Thanks Simon/Joe for your inputs!
The situation for me is I am migrating a customer production setup from a Juniper ISG to Fortigate.
Juniper ISG has quite old configuration and many VPNs configured in policy-based mode. I have converted VPN configuration as per Fortigate format on Fortigate appliance.
Now the issue I observed is, Juniper VPN policies are configured for Inbound/Outbound using pair-policy and traffic content is different. What I mean is there are two policies which are mapped to Phase-2 and each policy have different policy tuples.
Ex.
Following is the Juniper VPN policy...networks are hypothetical.
Topology shown for only one subent, in fact there are additional subnets behind Fortigate accessed by Remote Branch..
HQ-srv1,2-(HQ-Zone)-Juniper-(Untrust)<---Remote_branch_VPN--->(WAN)-Cisco-Loopback(1.2.3.4-Remote_branchIP1
and Juniper policy,
set ike gateway "Remote_branch_VPN" address 1.2.3.4 Main outgoing-interface "ethernet1/1" preshare "******" sec-level standard set vpn "Remote_branch_VPN-Phase2" gateway "Remote_branch_VPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" set vpn "Remote_branch_VPN-Phase2" monitor set vpn "Remote_branch_VPN-Phase2" proxy-id local-ip 10.10.1.0.0/24 remote-ip 20.20.1.0/24 "ANY"
---
After converting policies offline in Fortigate, I imported them to FortiManager, but I could only see all policies under VPN Manager--All VPN communities-Monitor with tunnel status up. These are outgoing policies from HQ to Remote branch.
But I am unable to create return policies from Remote Branch to HQ end with error, "ipsec interface must be the same as policy dstintf".
I am not sure if Fortigate accepts such asymmetric policies since I have not worked much with Fortigate VPNs.
If you can guide me where the correction requires, it will really be appreciable.
Regards,
Sandeep Sutar
PS: I have not enabled VDOMs in Fortigate and FortiManager.
Hi.
Just Addition to earleri post-- forgot add Juniper policy,
set policy id 1 from HQ-zone to Untrust HQ-srv1 Remote_branchIP1 TCP_5555 tunnel vpn Remote_branch_VPN-Phase2 id 0x3ea pair-policy 2 log set policy id 2 from Untrust to HQ-zone Remote_branchIP1 HQ_srv2 SSH tunnel vpn Remote_branch_VPN-Phase2 id 0x3ea pair-policy 1
Hello
Going back to the original question:
Can we import EXISTING IPsec VPNs into FortiManager? So that FortiManager - VPN Manager - controls all IPSec VPNs in the environment.
If I enable central VPN Manager, looks like I would have to create every tunnel manually.
I have a customer with two clusters with over 30 tunnels, so recreating all tunnels manually is not an option.
Any advise will be appreciate it.
Hi,
I've more ore less the same problem.
I use a dedicated S2S-VPN to our monitoring system. When I import the FGT to the FMG with "VPN Central Management" enabled as soon as I write down the imported and modified policy for the first time, all phase2-interfaces and corresponding routes will be deleted by FMG! When I disable "VPN Central Management" policy push works finde without removing any configuration from the FG.
Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.
Thanks for feedback
Cheers
Thrillseeker
Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.
-- in 5.0/5.2/5.4, FMG does not support mixed VPN config (IPsec interface based VPNs) in 1 ADOM, so after VPN manager enabled, only VPN manager configured VPN will write to device db and install to FGT, but from FMG 5.6.0, we will support mixed config, so can keep your previous FGT VPN config together with your new VPN manager VPNs
Thanks
Simon
5.6 support is not for import existing device db VPN config to FMG VPN manager, but when install new VPN manager VPNs to device, we still can keep the device db ones (for the VPN config which was not installed from VPN manager)
Thanks
Simon
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.