Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joepope
New Contributor III

Imported IPSEC VPN tunnel to FortiManager

Starting eval of FortiManager and imported two of my Fortigates.  Everything pretty straightforward, except the imported IPSec VPN tunnels.  I have custom IPSec VPN tunnels created manually for Fortinet > Juniper SSG firewalls.

I can see the imported tunnels under VPN Manager > Monitor and the status is Up.

 

But how do I modify these imported tunnels or create new tunnels?  I do not want tunnel created with a wizard due to it will not work with Juniper Networks SSG firewalls.

 

The FortiManager I am evaluating is 5.4.1 build 1082

 

Thanks in Advance!

Joe

4 Solutions
scao_FTNT
Staff
Staff

by default FortiManager (ADOM) not enabled central VPN Manager function, so after a FGT is added, you can find IPSec config at "Device Manager" per device config page in VPN section

 

Thanks

 

Simon

View solution in original post

victorcreed

Hello

Going back to the original question:

 

Can we import EXISTING IPsec VPNs into FortiManager? So that FortiManager - VPN Manager - controls all IPSec VPNs in the environment.

 

If I enable central VPN Manager, looks like I would have to create every tunnel manually.

I have a customer with two clusters with over 30 tunnels, so recreating all tunnels manually is not an option.

 

Any advise will be appreciate it.

View solution in original post

scao_FTNT

Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.

   -- in 5.0/5.2/5.4, FMG does not support mixed VPN config (IPsec interface based VPNs) in 1 ADOM, so after VPN manager enabled, only VPN manager configured VPN will write to device db and install to FGT, but from FMG 5.6.0, we will support mixed config, so can keep your previous FGT VPN config together with your new VPN manager VPNs

 

Thanks

 

Simon

View solution in original post

scao_FTNT

5.6 support is not for import existing device db VPN config to FMG VPN manager, but when install new VPN manager VPNs to device, we still can keep the device db ones (for the VPN config which was not installed from VPN manager)

 

Thanks

 

Simon

View solution in original post

9 REPLIES 9
sandeepsutar
New Contributor

Hi Joe, I am too stuck with same situation with same version. Have you got any resolution? Please let me know. Appreciate your inputs. Regards, Sandeep
scao_FTNT
Staff
Staff

by default FortiManager (ADOM) not enabled central VPN Manager function, so after a FGT is added, you can find IPSec config at "Device Manager" per device config page in VPN section

 

Thanks

 

Simon

joepope
New Contributor III

I finally gave up on FortiManager, it was not really useful for my environment.

But I remember something about you must change the view config to add seeing other portions, such as IPsec VPN, etc.  I don't remember exactly how now, sorry!

sandeepsutar
New Contributor

Thanks Simon/Joe for your inputs!

 

The situation for me is I am migrating a customer production setup from a Juniper ISG to Fortigate.

Juniper ISG has quite old configuration and many VPNs configured in policy-based mode. I have converted VPN configuration as per Fortigate format on Fortigate appliance.

Now the issue I observed is, Juniper VPN policies are configured for Inbound/Outbound using pair-policy and traffic content is different. What I mean is there are two policies which are mapped to Phase-2 and each policy have different policy tuples.

Ex.

Following is the Juniper VPN policy...networks are hypothetical.

Topology shown for only one subent, in fact there are additional subnets behind Fortigate accessed by Remote Branch..

HQ-srv1,2-(HQ-Zone)-Juniper-(Untrust)<---Remote_branch_VPN--->(WAN)-Cisco-Loopback(1.2.3.4-Remote_branchIP1

and Juniper policy,

set ike gateway "Remote_branch_VPN" address 1.2.3.4 Main outgoing-interface "ethernet1/1" preshare "******" sec-level standard set vpn "Remote_branch_VPN-Phase2" gateway "Remote_branch_VPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" set vpn "Remote_branch_VPN-Phase2" monitor set vpn "Remote_branch_VPN-Phase2" proxy-id local-ip 10.10.1.0.0/24 remote-ip 20.20.1.0/24 "ANY"

---

After converting policies offline in Fortigate,  I imported them to FortiManager, but I could only see all policies under VPN Manager--All VPN communities-Monitor with tunnel status up. These are outgoing policies from HQ to Remote branch.

But I am unable to create return policies from Remote Branch to HQ end with error, "ipsec interface must be the same as policy dstintf".

I am not sure if Fortigate accepts such asymmetric policies since I have not worked much with Fortigate VPNs.

If you can guide me where the correction requires, it will really be appreciable.

 

Regards,

 

Sandeep Sutar

PS: I have not enabled VDOMs in Fortigate and FortiManager.

sandeepsutar
New Contributor

Hi.

 

Just Addition to earleri post-- forgot add Juniper policy,

 

set policy id 1 from HQ-zone to Untrust HQ-srv1 Remote_branchIP1 TCP_5555 tunnel vpn Remote_branch_VPN-Phase2 id 0x3ea pair-policy 2 log set policy id 2 from Untrust to HQ-zone Remote_branchIP1 HQ_srv2 SSH tunnel vpn Remote_branch_VPN-Phase2 id 0x3ea pair-policy 1

 

 

victorcreed

Hello

Going back to the original question:

 

Can we import EXISTING IPsec VPNs into FortiManager? So that FortiManager - VPN Manager - controls all IPSec VPNs in the environment.

 

If I enable central VPN Manager, looks like I would have to create every tunnel manually.

I have a customer with two clusters with over 30 tunnels, so recreating all tunnels manually is not an option.

 

Any advise will be appreciate it.

thrillseeker

Hi,

I've more ore less the same problem.

I use a dedicated S2S-VPN to our monitoring system. When I import the FGT to the FMG with "VPN Central Management" enabled as soon as I write down the imported and modified policy for the first time, all phase2-interfaces and corresponding routes will be deleted by FMG! When I disable "VPN Central Management" policy push works finde without removing any configuration from the FG.

 

Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.

 

Thanks for feedback

Cheers

Thrillseeker

 

scao_FTNT

Is there a way or option to import existing S2S-VPN's from FG and still use the "VPN Central Management" feature for upcoming S2S-VPN's? I'm currently using FMG 5.4.2.

   -- in 5.0/5.2/5.4, FMG does not support mixed VPN config (IPsec interface based VPNs) in 1 ADOM, so after VPN manager enabled, only VPN manager configured VPN will write to device db and install to FGT, but from FMG 5.6.0, we will support mixed config, so can keep your previous FGT VPN config together with your new VPN manager VPNs

 

Thanks

 

Simon

scao_FTNT

5.6 support is not for import existing device db VPN config to FMG VPN manager, but when install new VPN manager VPNs to device, we still can keep the device db ones (for the VPN config which was not installed from VPN manager)

 

Thanks

 

Simon

Labels
Top Kudoed Authors